WWBN AVideo is an open-source video platform that in versions 26.0 and prior contains a CSRF vulnerability (CVE-2026-34613) in the objects/pluginSwitch.json.php endpoint. This endpoint allows administrators to enable or disable any installed plugin but fails to implement CSRF token validation. Although it verifies an active admin session, it does not protect against forged requests originating from malicious sites. Furthermore, the plugins database table is explicitly excluded from the ORM-level Referer/Origin domain validation implemented in ObjectYPT::save(), effectively bypassing an additional layer of defense. Compounding this issue, session cookies are configured with SameSite=None, allowing cross-site requests to carry authentication cookies. An attacker can exploit this by luring an authenticated administrator to a crafted webpage that silently sends requests to disable critical security plugins such as LoginControl (which enforces two-factor authentication), subscription enforcement, or access control plugins. Disabling these plugins can significantly weaken the platform’s security posture. At the time of publication, no patches or fixes are publicly available, leaving installations vulnerable. The CVSS 3.1 score of 6.5 reflects a medium severity, with no confidentiality or availability impact but high integrity impact due to unauthorized changes to plugin states. Exploitation requires user interaction (admin visiting a malicious page) but no additional privileges beyond an authenticated admin session.

The primary impact of this vulnerability is the unauthorized disabling of critical security plugins by an attacker, which can severely degrade the security controls of the AVideo platform. This includes disabling two-factor authentication, subscription enforcement, and access control mechanisms, potentially allowing attackers to bypass authentication protections, gain unauthorized access to content, or disrupt subscription-based revenue models. While the vulnerability does not directly expose confidential data or cause denial of service, the integrity compromise can lead to broader security breaches, unauthorized content access, and potential account takeover scenarios. Organizations relying on AVideo for video hosting and streaming services may face increased risk of account compromise, content theft, or unauthorized administrative actions. The lack of available patches increases exposure duration, making timely mitigation critical. The attack requires an administrator to be tricked into visiting a malicious site, so social engineering is a key factor in exploitation. However, the widespread use of SameSite=None cookies increases the risk of successful CSRF attacks.

To mitigate this vulnerability, organizations should implement the following specific measures: 1) Immediately restrict administrative access to trusted networks or VPNs to reduce exposure to malicious sites. 2) Educate administrators about the risks of visiting untrusted websites while logged into the AVideo admin interface. 3) Temporarily disable or restrict plugin management functionality if feasible until patches are available. 4) Implement web application firewall (WAF) rules to detect and block suspicious cross-site requests targeting the pluginSwitch.json.php endpoint. 5) Modify session cookie settings to use SameSite=Lax or Strict to prevent cross-site cookie transmission, if configurable. 6) Monitor administrative logs for unusual plugin enable/disable activity. 7) Follow WWBN AVideo project communications closely for forthcoming patches and apply them promptly once released. 8) Consider deploying additional multi-factor authentication methods outside of the vulnerable plugin to maintain strong admin authentication. 9) Review and harden other security controls to compensate for potential plugin disablement. These steps go beyond generic advice by focusing on immediate risk reduction and compensating controls in the absence of a patch.