WWBN AVideo, an open source video platform, has a CSRF vulnerability (CWE-352) in versions 29.0 and prior affecting three admin-only JSON endpoints: objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php. These endpoints perform state-changing database actions after checking only user roles without validating CSRF tokens (missing calls to isGlobalTokenValid() or forbidIfIsUntrustedRequest()). Other similar endpoints do enforce CSRF tokens, indicating this was an omission. An attacker can exploit this by tricking a logged-in admin into visiting a malicious page, enabling unauthorized creation, deletion, or modification of categories and forced execution of plugin update scripts. A code commit (ee5615153c40628ab3ec6fe04962d1f92e67d3e2) contains a fix, but no official patch or vendor advisory is currently provided.

Successful exploitation allows an attacker to perform unauthorized administrative actions such as creating, deleting, or modifying categories and forcing execution of plugin update scripts within the context of an authenticated admin session. This can lead to unauthorized changes in the platform's configuration and potentially impact platform integrity and availability. The CVSS score of 7.1 reflects high impact on integrity and low impact on availability, with no confidentiality impact.

A fix has been committed in the source code repository (commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2) that adds proper CSRF token validation to the affected endpoints. However, there is no official patch release or vendor advisory confirming availability of a formal fix. Users should monitor the vendor's official channels for a released patch and apply it promptly once available. Until then, consider restricting admin access and avoid visiting untrusted sites while logged in as an admin to reduce risk.