CVE-2026-34394: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin POST requests from a malicious page to overwrite arbitrary plugin settings on a victim administrator's session. Because the plugins table is included in the ignoreTableSecurityCheck() array in objects/Object.php, standard table-level access controls are also bypassed. This allows a complete takeover of platform functionality by reconfiguring payment processors, authentication providers, cloud storage credentials, and more. At time of publication, there are no publicly available patches.
AI Analysis
Technical Summary
WWBN AVideo versions 26.0 and prior have a CSRF vulnerability in the admin plugin configuration endpoint (admin/save.json.php) due to missing CSRF token validation calls such as isGlobalTokenValid() or verifyToken(). The SameSite=None cookie policy enables cross-origin requests to carry authentication cookies, and the plugins table is excluded from standard table-level security checks, allowing attackers to overwrite arbitrary plugin settings. This can lead to a complete takeover of platform functionality by modifying critical configurations like payment processors, authentication providers, and cloud storage credentials. No patches are currently available.
Potential Impact
Successful exploitation allows an attacker to perform unauthorized configuration changes on the AVideo platform by forging requests from a victim administrator's browser. This can result in full platform compromise, including control over payment processing, authentication mechanisms, and cloud storage credentials. The vulnerability does not affect availability but has high impact on confidentiality and integrity.
Mitigation Recommendations
At the time of this report, no official patches or fixes are available. Administrators should apply strict access controls to the admin interface and consider disabling or restricting the vulnerable plugin configuration endpoint until a fix is released. Monitoring for suspicious administrative changes is advised. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-34394: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin POST requests from a malicious page to overwrite arbitrary plugin settings on a victim administrator's session. Because the plugins table is included in the ignoreTableSecurityCheck() array in objects/Object.php, standard table-level access controls are also bypassed. This allows a complete takeover of platform functionality by reconfiguring payment processors, authentication providers, cloud storage credentials, and more. At time of publication, there are no publicly available patches.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo versions 26.0 and prior have a CSRF vulnerability in the admin plugin configuration endpoint (admin/save.json.php) due to missing CSRF token validation calls such as isGlobalTokenValid() or verifyToken(). The SameSite=None cookie policy enables cross-origin requests to carry authentication cookies, and the plugins table is excluded from standard table-level security checks, allowing attackers to overwrite arbitrary plugin settings. This can lead to a complete takeover of platform functionality by modifying critical configurations like payment processors, authentication providers, and cloud storage credentials. No patches are currently available.
Potential Impact
Successful exploitation allows an attacker to perform unauthorized configuration changes on the AVideo platform by forging requests from a victim administrator's browser. This can result in full platform compromise, including control over payment processing, authentication mechanisms, and cloud storage credentials. The vulnerability does not affect availability but has high impact on confidentiality and integrity.
Mitigation Recommendations
At the time of this report, no official patches or fixes are available. Administrators should apply strict access controls to the admin interface and consider disabling or restricting the vulnerable plugin configuration endpoint until a fix is released. Monitoring for suspicious administrative changes is advised. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T13:45:29.619Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cc343ee6bfc5ba1d4033d2
Added to database: 3/31/2026, 8:53:18 PM
Last enriched: 4/8/2026, 4:13:44 AM
Last updated: 5/16/2026, 12:38:55 AM
Views: 52
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.