GHSA-wprj-9cvc-5w37: Unauthenticated Access to Sensitive Data via Missing Authorization in AVideo
Vulnerability ID: GHSA-WPRJ-9CVC-5W37
CVSS Score: 7.5
Published: 2026-03-29
WWBN AVideo versions up to and including 26.0 suffer from a systematic authorization failure (CWE-862). Unauthenticated attackers can query multiple JSON endpoints across various plugins to extract sensitive system, financial, and user data. The vulnerability resides in the omission of access control checks within data table listing scripts.
TL;DR
Missing authorization checks in AVideo <= 26.0 allow unauthenticated extraction of sensitive data, including PayPal logs and user records, via exposed JSON endpoints.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862
- Attack Vector: Network
- CVSS Score: 7.5
- Impact: High (Data Confidentiality)
- Exploit Status: poc
- Authentication Required: None
Affected Systems
- WWBN AVideo <= 26.0
-
AVideo: <= 26.0 (Fixed in:
Post-26.0 (Commit 1729a955f8de7e26552eb728b3d1e6f4b1b9352e))
Code Analysis
Commit: 1729a95
Fix missing authorization on list.json.php endpoints
Exploit Details
- Vulnerability Context: Direct enumeration of /plugin/*/list.json.php endpoints
Mitigation Strategies
- Apply official vendor patch
- Implement explicit authorization gates on all API endpoints
- Audit third-party plugins for missing access control checks
Remediation Steps:
- Identify the current version of AVideo running on the server.
- If the version is 26.0 or lower, plan an immediate upgrade.
- Apply commit 1729a955f8de7e26552eb728b3d1e6f4b1b9352e or install the latest available release.
- Verify the fix by attempting unauthenticated access to /plugin/PayPalYPT/View/PayPalYPT_log/list.json.php.
- Review web server logs for HTTP 200 responses to known vulnerable endpoints to identify historical compromise.
References
Read the full report for GHSA-WPRJ-9CVC-5W37 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)