CVE-2026-34739: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo's SameSite=None cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin to a malicious link that executes JavaScript in their authenticated session. At time of publication, there are no publicly available patches.
AI Analysis
Technical Summary
WWBN AVideo versions 26.0 and prior contain an improper neutralization of input vulnerability (CWE-79) in the User_Location plugin's testIP.php page. The ip parameter is directly injected into an HTML input element without htmlspecialchars() or equivalent encoding, enabling injection of arbitrary HTML and JavaScript. Despite the page's admin-only restriction, the SameSite=None cookie configuration permits cross-origin attacks, allowing an attacker to execute script in the context of an authenticated admin session via a crafted URL. This vulnerability has a CVSS 3.1 base score of 6.1, indicating medium severity. No official patches or fixes are currently available.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated admin user session. This can lead to limited confidentiality and integrity impacts, such as theft of admin session data or manipulation of admin interface elements. The vulnerability does not affect availability. The cross-origin exploitability is enabled by the SameSite=None cookie setting, increasing the attack surface despite the admin-only page restriction.
Mitigation Recommendations
At the time of publication, no official patches or fixes are available for this vulnerability. Users should monitor the vendor's advisory channels for updates. As a temporary measure, restricting access to the affected testIP.php page to trusted networks or disabling the User_Location plugin may reduce risk. Additionally, reviewing and adjusting cookie SameSite settings to a more restrictive policy could help mitigate cross-origin exploitation. Avoid clicking on untrusted links that could trigger this vulnerability in admin sessions.
CVE-2026-34739: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo's SameSite=None cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin to a malicious link that executes JavaScript in their authenticated session. At time of publication, there are no publicly available patches.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo versions 26.0 and prior contain an improper neutralization of input vulnerability (CWE-79) in the User_Location plugin's testIP.php page. The ip parameter is directly injected into an HTML input element without htmlspecialchars() or equivalent encoding, enabling injection of arbitrary HTML and JavaScript. Despite the page's admin-only restriction, the SameSite=None cookie configuration permits cross-origin attacks, allowing an attacker to execute script in the context of an authenticated admin session via a crafted URL. This vulnerability has a CVSS 3.1 base score of 6.1, indicating medium severity. No official patches or fixes are currently available.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated admin user session. This can lead to limited confidentiality and integrity impacts, such as theft of admin session data or manipulation of admin interface elements. The vulnerability does not affect availability. The cross-origin exploitability is enabled by the SameSite=None cookie setting, increasing the attack surface despite the admin-only page restriction.
Mitigation Recommendations
At the time of publication, no official patches or fixes are available for this vulnerability. Users should monitor the vendor's advisory channels for updates. As a temporary measure, restricting access to the affected testIP.php page to trusted networks or disabling the User_Location plugin may reduce risk. Additionally, reviewing and adjusting cookie SameSite settings to a more restrictive policy could help mitigate cross-origin exploitation. Avoid clicking on untrusted links that could trigger this vulnerability in admin sessions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T18:41:20.755Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cc37c1e6bfc5ba1d418a10
Added to database: 3/31/2026, 9:08:17 PM
Last enriched: 4/8/2026, 4:15:10 AM
Last updated: 5/16/2026, 12:02:25 AM
Views: 61
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.