DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-8WHC-2WMV-WW35: GHSA-8whc-2wmv-ww35: Unauthenticated Stored DOM-based Cross-Site Scripting in WWBN AVideo YPTSocket Plugin

#security #cve #cybersecurity #ghsa

GHSA-8whc-2wmv-ww35: Unauthenticated Stored DOM-based Cross-Site Scripting in WWBN AVideo YPTSocket Plugin

Vulnerability ID: GHSA-8WHC-2WMV-WW35
CVSS Score: 8.8
Published: 2026-06-04

An unauthenticated stored DOM-based Cross-Site Scripting (DOM XSS) vulnerability in the YPTSocket plugin of WWBN AVideo (formerly YouPHPTube) allows remote attackers to execute arbitrary JavaScript within the session context of administrative users. Unsanitized metadata parameters supplied during the WebSocket handshake are persisted in an SQLite database and broadcast to connected users. The frontend application processes these parameters through an unsafe jQuery append sink, leading to silent, high-impact administrative context compromise.

TL;DR

Unauthenticated attackers can supply malicious parameters during WebSocket handshakes to trigger stored DOM-based XSS, leading to session hijacking and remote execution of administrative actions in WWBN AVideo.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v3.1 Score: 8.8
  • Exploit Status: Proof of Concept
  • Impact: Administrative Session Hijacking / Stored XSS
  • CISA KEV Status: Not Listed

Affected Systems

  • WWBN AVideo platform with the YPTSocket plugin enabled
  • AVideo: <= 11.6 (Fixed in: Commit 8be71e53ccbe9b84b30870db386fb4d2b11e1c16)

Code Analysis

Commit: 8be71e5

Fixing secure parameter initialization in YPTSocket plugin's SQLite communication file.

Mitigation Strategies

  • Apply the official vendor patch from the WWBN AVideo repository to update plugin/YPTSocket/MessageSQLiteV2.php.
  • Implement a robust Content Security Policy (CSP) header restricting the execution of dynamic, inline scripts.
  • Adopt safe DOM manipulation methods in frontend templates by replacing jQuery .append() with safe text-binding APIs.

Remediation Steps:

  1. Access the WWBN AVideo server host shell and navigate to the AVideo installation directory.
  2. Fetch the latest patches from the upstream repository or apply the diff for commit 8be71e53ccbe9b84b30870db386fb4d2b11e1c16 manually.
  3. Verify that the file plugin/YPTSocket/MessageSQLiteV2.php includes the htmlspecialchars and filter_var sanitization routines.
  4. Restart the ReactPHP WebSocket background process (usually run via supervisor or systemd) to flush the memory database and load the new script logic.

References

Read the full report for GHSA-8WHC-2WMV-WW35 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)