WWBN AVideo versions ≤ 29.0 contain an XSS vulnerability in the objects/notifySubscribers.json.php endpoint. The vulnerability occurs because the raw 'message' POST parameter is passed directly into the sendSiteEmail() function, which substitutes it into an HTML email template without any HTML sanitization, character escaping, or output encoding before rendering with PHPMailer::msgHTML(). This allows authenticated users with upload permissions to send arbitrary HTML content to all subscribers of their channel, potentially enabling phishing, UI spoofing, or tracking. The emails are sent from the platform's configured contact address and include official branding, making the malicious content appear legitimate. A code commit addressing this issue exists but no official patch or remediation level is specified in the provided data.

An attacker with authenticated upload permissions can send crafted HTML emails to up to 10,000 subscribers per invocation. These emails can contain phishing links, tracking pixels, or UI spoofing elements, potentially leading to credential theft or privacy violations. The emails appear to originate from the official platform contact address and include branding, increasing the risk of successful social engineering attacks. There is no indication of direct system compromise or denial of service from this vulnerability. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. A code commit addressing the vulnerability exists in the WWBN AVideo GitHub repository. Until an official patch is released and applied, restrict upload permissions to trusted users only to reduce risk. Monitor official WWBN channels for updates and apply the fix once available.