GHSA-w5ff-2mjc-4phc: OS Command Injection in AVideo SocialMediaPublisher Plugin
Vulnerability ID: GHSA-W5FF-2MJC-4PHC
CVSS Score: 5.9
Published: 2026-03-19
The AVideo platform contains an OS Command Injection vulnerability within the SocialMediaPublisher plugin. The application improperly sanitizes LinkedIn API responses before passing them to a shell execution context, allowing attackers who control the API response to execute arbitrary commands as the web server user.
TL;DR
A command injection flaw in AVideo's SocialMediaPublisher plugin allows attackers to execute arbitrary OS commands via manipulated LinkedIn API responses.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-78
- Attack Vector: Network
- Attack Complexity: High
- CVSS v3.1 Score: 5.9
- Privileges Required: High
- Exploit Status: PoC Available
Affected Systems
- WWBN AVideo
- AVideo SocialMediaPublisher Plugin
- AVideo: >= 10.4, <= 25.0
Exploit Details
- GitHub Advisory: Proof of Concept demonstrating injection via uploadUrl payload.
Mitigation Strategies
- Update AVideo to a version later than 25.0.
- Replace the PHP
exec()shell command with native PHP cURL functionality. - Apply
escapeshellarg()to all dynamic variables passed to system commands.
Remediation Steps:
- Identify the version of AVideo currently deployed in the environment.
- If the version is between 10.4 and 25.0 inclusive, schedule an immediate maintenance window.
- Update the application core and all associated plugins via the package manager or repository.
- If patching is not possible, locate
plugin/SocialMediaPublisher/Objects/SocialUploader.php. - Modify lines 713-720 to wrap
$filePathand$uploadUrlwithescapeshellarg()or rewrite the method usingcurl_init().
References
- GitHub Security Advisory GHSA-w5ff-2mjc-4phc
- AVideo GitHub Repository
- OSV Entry for GHSA-w5ff-2mjc-4phc
Read the full report for GHSA-W5FF-2MJC-4PHC on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)