CVE-2026-34396 is a stored cross-site scripting vulnerability affecting WWBN AVideo, an open-source video platform, in versions 26.0 and prior. The vulnerability exists because the admin panel's plugin configuration interface fails to properly sanitize or encode user-controlled input before embedding it into HTML form elements. Specifically, the jsonToFormElements() function in admin/functions.php directly inserts plugin configuration values into textarea contents, option elements, and input attributes without applying htmlspecialchars() or any other output encoding. This improper neutralization of input (CWE-79) allows an attacker who can set or manipulate plugin configuration values—either by having administrative access or by chaining with a cross-site request forgery (CSRF) attack against admin/save.json.php—to inject arbitrary JavaScript code. When any administrator subsequently visits the affected plugin configuration page, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or further administrative compromise. The vulnerability is exploitable remotely over the network without authentication but requires user interaction (an admin visiting the malicious page). The scope is confined to the administrative interface, but the impact includes loss of confidentiality and integrity of administrative sessions and data. At the time of publication, no patches or official fixes have been released, and no public exploits are known. The CVSS 3.1 base score is 6.1, indicating medium severity due to the combination of ease of exploitation and impact on confidentiality and integrity without affecting availability.

This vulnerability poses a significant risk to organizations using WWBN AVideo, particularly those relying on the administrative interface for plugin management. Successful exploitation can lead to arbitrary JavaScript execution in the context of an administrator’s browser, enabling session hijacking, credential theft, or unauthorized administrative actions. This can result in unauthorized access to sensitive video content, user data, or platform configuration, potentially leading to data breaches or service manipulation. Since the vulnerability can be chained with CSRF attacks, attackers without direct admin credentials might still exploit it, increasing the attack surface. The impact is primarily on confidentiality and integrity, with no direct availability impact. Organizations with multiple administrators or those exposing the admin panel to the internet are at higher risk. The absence of patches means the vulnerability remains exploitable until mitigations are applied, increasing exposure time. Additionally, compromised administrative accounts can be leveraged for further attacks within the organization’s infrastructure.

To mitigate this vulnerability, organizations should immediately restrict access to the AVideo admin panel to trusted networks and users, ideally behind VPNs or IP whitelisting. Implement multi-factor authentication (MFA) for all administrator accounts to reduce the risk of credential compromise. Monitor and audit administrative actions and plugin configurations for unauthorized changes. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the plugin configuration endpoints. Since no official patches are available, consider applying temporary code-level mitigations by modifying the jsonToFormElements() function to properly encode all user-controlled input using htmlspecialchars() or equivalent output encoding functions before rendering in HTML. Educate administrators to avoid clicking on suspicious links or performing plugin configuration changes from untrusted sources to reduce CSRF risks. Regularly back up configuration data to enable recovery if compromise occurs. Stay alert for official patches or updates from WWBN and apply them promptly once released.