CVE-2026-34613: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly available patches.
AI Analysis
Technical Summary
WWBN AVideo versions 26.0 and earlier contain a CSRF vulnerability in the pluginSwitch.json.php endpoint. This endpoint permits authenticated administrators to enable or disable any installed plugin but lacks CSRF token validation. Additionally, the plugins table is excluded from ORM-level Referer/Origin domain validation, further weakening protections. Because session cookies are set with SameSite=None, an attacker can craft malicious web pages that cause an admin to unknowingly disable security-critical plugins such as two-factor authentication or access control. This combination of missing CSRF protection and cookie settings enables unauthorized modification of plugin states via CSRF attacks. No official patches or fixes are available as of the publication date.
Potential Impact
An attacker can exploit this vulnerability to disable important security plugins by tricking an authenticated administrator into visiting a malicious webpage. This can lead to the removal of protections like two-factor authentication, subscription enforcement, or access control, significantly weakening the security posture of the affected AVideo installation. The vulnerability does not directly disclose data or cause denial of service but facilitates further attacks by reducing security controls.
Mitigation Recommendations
At the time of publication, no official patches or fixes are available for this vulnerability. Administrators should exercise caution and avoid visiting untrusted websites while logged into the AVideo administration interface. Monitoring for suspicious activity related to plugin state changes is recommended. Check the vendor's advisory channels regularly for updates or patches addressing this issue.
CVE-2026-34613: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly available patches.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo versions 26.0 and earlier contain a CSRF vulnerability in the pluginSwitch.json.php endpoint. This endpoint permits authenticated administrators to enable or disable any installed plugin but lacks CSRF token validation. Additionally, the plugins table is excluded from ORM-level Referer/Origin domain validation, further weakening protections. Because session cookies are set with SameSite=None, an attacker can craft malicious web pages that cause an admin to unknowingly disable security-critical plugins such as two-factor authentication or access control. This combination of missing CSRF protection and cookie settings enables unauthorized modification of plugin states via CSRF attacks. No official patches or fixes are available as of the publication date.
Potential Impact
An attacker can exploit this vulnerability to disable important security plugins by tricking an authenticated administrator into visiting a malicious webpage. This can lead to the removal of protections like two-factor authentication, subscription enforcement, or access control, significantly weakening the security posture of the affected AVideo installation. The vulnerability does not directly disclose data or cause denial of service but facilitates further attacks by reducing security controls.
Mitigation Recommendations
At the time of publication, no official patches or fixes are available for this vulnerability. Administrators should exercise caution and avoid visiting untrusted websites while logged into the AVideo administration interface. Monitoring for suspicious activity related to plugin state changes is recommended. Check the vendor's advisory channels regularly for updates or patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T17:15:52.501Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cc37c1e6bfc5ba1d4189fb
Added to database: 3/31/2026, 9:08:17 PM
Last enriched: 4/8/2026, 12:08:41 AM
Last updated: 5/16/2026, 8:01:36 AM
Views: 42
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.