WWBN AVideo, an open source video platform, contains a command injection vulnerability (CWE-77) in versions 29.0 and earlier. The vulnerability arises because the cloneServer.json.php endpoint in the CloneSite plugin uses user-controlled input directly in a shell command without proper sanitization. Specifically, the 'url' parameter is concatenated into a wget command executed via PHP's exec() function, enabling attackers to inject shell metacharacters and execute arbitrary commands remotely. The vulnerability has a CVSS 4.0 score of 8.9 (high severity). A code commit identified as 473c609fc2defdea8b937b00e86ce88eba1f15bb contains the fix for this issue.

Successful exploitation allows unauthenticated attackers to execute arbitrary shell commands on the affected server, resulting in remote code execution. This can lead to full compromise of the server hosting the AVideo platform. There are no known exploits in the wild at this time.

A fix is available and included in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb. Users should upgrade to a version of WWBN AVideo that includes this commit or apply the patch manually. Since the vulnerability is in self-hosted software, administrators must apply the fix themselves. Patch status is not explicitly confirmed in a vendor advisory, so users should verify the presence of the fix in their deployed version.