WWBN AVideo is an open-source video platform widely used for hosting and streaming video content. In versions up to and including 26.0, the endpoint `plugin/AD_Server/reports.json.php` responsible for providing ad campaign analytics data does not perform any authentication or authorization checks. This is a classic case of missing authorization (CWE-862). As a result, any unauthenticated attacker can send requests to this JSON API and retrieve sensitive information such as video titles, user channel names, user IDs, ad campaign names, and metrics like impression and click counts. Notably, the HTML report page (`reports.php`) and CSV export (`getCSV.php`) correctly enforce admin-level access via `User::isAdmin()`, indicating a coding oversight limited to the JSON endpoint. The vulnerability is remotely exploitable without any user interaction or privileges, increasing its risk. Although the vulnerability does not allow modification or deletion of data, the exposure of sensitive analytics data can aid attackers in profiling users and campaigns, potentially facilitating targeted attacks or privacy violations. The vendor has addressed this issue in a patch committed under the identifier daca4ffb1ce19643eecaa044362c41ac2ce45dde. The CVSS v3.1 base score is 5.3 (medium), reflecting the confidentiality impact and ease of exploitation without authentication.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive ad campaign analytics data. Organizations using affected versions of WWBN AVideo risk exposure of internal marketing data, user identifiers, and video metadata. This can lead to privacy violations, competitive intelligence gathering by malicious actors, and potential reputational damage. While the vulnerability does not allow data modification or service disruption, the leaked information could be leveraged in social engineering, targeted phishing, or further attacks against the platform or its users. Media companies, content creators, and advertisers relying on AVideo for monetization and analytics are particularly at risk. The ease of exploitation and lack of required privileges mean attackers can quickly and remotely gather intelligence without detection. This could also violate data protection regulations if user-related data is exposed without consent.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch fixing this vulnerability. If an upgrade is not immediately possible, administrators should implement network-level access controls to restrict access to the `plugin/AD_Server/reports.json.php` endpoint, such as IP whitelisting or VPN requirements. Additionally, web application firewalls (WAFs) can be configured to detect and block unauthorized requests to this endpoint. Reviewing and auditing all API endpoints for consistent authentication and authorization enforcement is recommended to prevent similar issues. Monitoring access logs for unusual or repeated requests to this JSON endpoint can help detect exploitation attempts. Finally, informing users and stakeholders about the exposure and reviewing privacy compliance measures is prudent.