CVE-2026-34375 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting WWBN's open source video platform AVideo, specifically versions up to and including 26.0. The issue exists in the YPTWallet Stripe payment confirmation page, where the `plugin` parameter from the `$_REQUEST` superglobal is directly echoed into a JavaScript context without any form of sanitization or encoding. This parameter is not included in the framework's input filtering lists defined in `security.php`, allowing it to pass through unchecked. As a result, an attacker can craft a malicious URL containing JavaScript payloads within the `plugin` parameter, which will execute in the context of the victim's browser when they visit the URL. The same vulnerable script block also outputs the current user's username and password hash via calls to `User::getUserName()` and `User::getUserPass()`. This means a successful exploitation can immediately exfiltrate these sensitive credentials to an attacker-controlled server. The vulnerability requires no privileges (PR:N), has low attack complexity (AC:L), but does require user interaction (UI:R). The scope is changed (S:C) because the vulnerability affects data beyond the vulnerable component. The confidentiality impact is high (C:H), integrity impact is low (I:L), and availability impact is none (A:N). Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk due to the sensitive data exposure and ease of exploitation. A fix has been committed (commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2) that presumably adds proper input validation or encoding to the `plugin` parameter to prevent script injection.

The primary impact of this vulnerability is the potential theft of user credentials, including usernames and password hashes, which can lead to account compromise and unauthorized access to the AVideo platform. Because the vulnerability allows arbitrary JavaScript execution in the context of authenticated users, attackers can also perform session hijacking, perform actions on behalf of users, or pivot to other internal systems if the platform is integrated with other services. The exposure of password hashes increases the risk of offline password cracking, potentially compromising multiple accounts if password reuse occurs. Organizations using AVideo for video hosting and streaming services risk data breaches, loss of user trust, and potential regulatory penalties if user data is compromised. The vulnerability's exploitation requires user interaction, typically via phishing or social engineering, but the low complexity and high confidentiality impact make it a critical concern for any deployment. The lack of input filtering on the `plugin` parameter indicates a broader risk if similar patterns exist elsewhere in the codebase.

Organizations should immediately upgrade AVideo to a version that includes the fix for CVE-2026-34375 or apply the patch from commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2. In the absence of an official patch, temporary mitigations include implementing strict input validation and output encoding on the `plugin` parameter, especially when embedding user input into JavaScript contexts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Conduct a thorough code audit to identify other instances where user input is embedded without sanitization. Educate users and administrators about phishing risks, as exploitation requires user interaction. Monitor web server logs and application telemetry for suspicious URL parameters or unusual activity related to the `plugin` parameter. Finally, enforce strong password policies and consider multi-factor authentication to mitigate the impact of credential theft.