GHSA-GMPC-FXG2-VCMQ: Stored Cross-Site Scripting (XSS) in AVideo TopMenu Plugin
Vulnerability ID: GHSA-GMPC-FXG2-VCMQ
CVSS Score: 6.1
Published: 2026-04-01
The TopMenu plugin in AVideo up to version 26.0 contains a stored cross-site scripting (XSS) vulnerability. User-controlled menu fields lack proper output encoding, allowing administrative users to inject malicious JavaScript that executes globally across all public-facing pages.
TL;DR
A stored XSS flaw in AVideo's TopMenu plugin allows injected JavaScript to execute on every public page, potentially leading to widespread account takeover. The vulnerability is currently unpatched.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network (Stored XSS)
- CVSS v3.1 Score: 6.1
- Impact: Session Hijacking, Phishing, Forced Actions
- Exploit Status: Proof-of-Concept
- Component: TopMenu Plugin
- Fix Status: Unpatched
Affected Systems
- AVideo Base Installation (up to v26.0)
- AVideo TopMenu Plugin
-
AVideo: <= 26.0 (Fixed in:
Unpatched)
Mitigation Strategies
- Disable the TopMenu plugin
- Implement WAF rules to detect XSS patterns in plugin configuration endpoints
- Perform regular database audits of menu configurations
- Enforce strict access controls on administrative accounts
Remediation Steps:
- Log in to the AVideo administrative interface.
- Navigate to the Plugin Manager.
- Locate the TopMenu plugin and select the option to disable it.
- Review the database table associated with the TopMenu plugin for any existing malicious payloads and delete them.
- Monitor the vendor repository for future patches addressing the lack of output encoding.
References
Read the full report for GHSA-GMPC-FXG2-VCMQ on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)