DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33501: CVE-2026-33501: Missing Authorization Information Disclosure in WWBN AVideo Permissions Plugin

#security #cve #cybersecurity

CVE-2026-33501: Missing Authorization Information Disclosure in WWBN AVideo Permissions Plugin

Vulnerability ID: CVE-2026-33501
CVSS Score: 5.3
Published: 2026-03-20

WWBN AVideo versions 26.0 and prior suffer from a missing authorization vulnerability (CWE-862) in the Permissions plugin. Unauthenticated attackers can query the list.json.php endpoint to extract the complete internal permission matrix, detailing the relationships between user groups and plugins. This flaw arises from a failure to implement functional level access control checks that are present in sibling administrative endpoints.

TL;DR

An unauthenticated information disclosure vulnerability in AVideo's Permissions plugin allows complete mapping of user groups to plugins via a simple HTTP GET request.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862
  • Attack Vector: Network
  • CVSS Score: 5.3 (Medium)
  • Impact: Confidentiality: Low
  • Exploit Status: Proof of Concept (PoC) Available
  • KEV Status: Not Listed

Affected Systems

  • WWBN AVideo <= 26.0
  • WWBN AVideo: <= 26.0

Code Analysis

Commit: b583acd

Adds the authorization gate (User::isAdmin()) to list.json.php.

+$plugin = AVideoPlugin::loadPluginIfEnabled('Permissions');
+if (!User::isAdmin()) {
+    die(json_encode(['error' => true, 'msg' => 'You cant do this']));
+}
Enter fullscreen mode Exit fullscreen mode

Commit: dc3c825

Structural cleanup and response formatting for the Permissions plugin endpoint.

Exploit Details

  • Vendor Advisory: Simple HTTP GET request to the vulnerable list.json.php endpoint demonstrating unauthenticated matrix extraction.

Mitigation Strategies

  • Upgrade WWBN AVideo to a release subsequent to version 26.0.
  • Manually append the User::isAdmin() validation check within list.json.php.
  • Implement WAF rules to restrict unauthorized access to the plugin/Permissions/View/ path.

Remediation Steps:

  1. Identify the deployed version of WWBN AVideo.
  2. Download the patched source code incorporating commits b583acdc9a9d1eab461543caa363e1a104fb4516 and dc3c825734628bb32550d0daa125f05bacb6829c.
  3. Replace the vulnerable list.json.php file with the patched version.
  4. Verify the remediation by issuing an unauthenticated curl request to the endpoint; ensure a JSON error object is returned instead of the matrix.

References

Read the full report for CVE-2026-33501 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)