CVE-2026-34375: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. The same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials. Commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 fixes the issue.
AI Analysis
Technical Summary
WWBN AVideo, an open source video platform, contains a cross-site scripting vulnerability (CWE-79) in its YPTWallet Stripe payment confirmation page in versions up to 26.0. The vulnerability occurs because the `plugin` parameter from the `$_REQUEST` superglobal is echoed directly into a JavaScript block without any encoding or sanitization, bypassing the framework's input filters. This allows an attacker to inject arbitrary JavaScript code by sending a crafted URL to a victim. The injected script can access sensitive information such as the victim's username and password hash via calls to `User::getUserName()` and `User::getUserPass()`. The vulnerability has a CVSS 3.1 base score of 8.2, indicating high severity. A code commit (fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2) addresses and fixes this issue.
Potential Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript in the context of a victim user visiting the malicious URL. This can lead to theft of sensitive user information, specifically the victim's username and password hash, which are exposed in the vulnerable script block. The vulnerability does not require privileges or authentication and can be triggered via user interaction (clicking a crafted link). There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
A fix for this vulnerability is available and has been implemented in the codebase as of commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2. Users and administrators of WWBN AVideo should upgrade to a version that includes this fix or apply the patch from the referenced commit. Until patched, avoid clicking on untrusted links that may contain malicious `plugin` parameters. Patch status beyond the commit is not explicitly stated; verify with the vendor or official WWBN AVideo repositories for the latest patched release.
CVE-2026-34375: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. The same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials. Commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo, an open source video platform, contains a cross-site scripting vulnerability (CWE-79) in its YPTWallet Stripe payment confirmation page in versions up to 26.0. The vulnerability occurs because the `plugin` parameter from the `$_REQUEST` superglobal is echoed directly into a JavaScript block without any encoding or sanitization, bypassing the framework's input filters. This allows an attacker to inject arbitrary JavaScript code by sending a crafted URL to a victim. The injected script can access sensitive information such as the victim's username and password hash via calls to `User::getUserName()` and `User::getUserPass()`. The vulnerability has a CVSS 3.1 base score of 8.2, indicating high severity. A code commit (fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2) addresses and fixes this issue.
Potential Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript in the context of a victim user visiting the malicious URL. This can lead to theft of sensitive user information, specifically the victim's username and password hash, which are exposed in the vulnerable script block. The vulnerability does not require privileges or authentication and can be triggered via user interaction (clicking a crafted link). There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
A fix for this vulnerability is available and has been implemented in the codebase as of commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2. Users and administrators of WWBN AVideo should upgrade to a version that includes this fix or apply the patch from the referenced commit. Until patched, avoid clicking on untrusted links that may contain malicious `plugin` parameters. Patch status beyond the commit is not explicitly stated; verify with the vendor or official WWBN AVideo repositories for the latest patched release.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T13:43:14.369Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6d01e3c064ed76fe28e18
Added to database: 3/27/2026, 6:44:46 PM
Last enriched: 4/4/2026, 10:56:37 AM
Last updated: 5/11/2026, 6:19:28 AM
Views: 47
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.