WWBN AVideo AI Plugin Endpoint IDOR Vulnerability Allows Unauthorized Access to AI-Generated Metadata

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in the WWBN AVideo AI plugin, specifically in versions through 26.0. The issue arises in the 'save.json.php' endpoint, which improperly loads AI response objects using an attacker-controlled 'id' parameter. This lack of validation allows authenticated users with AI permissions to access AI response IDs from other users' private videos and apply the stolen content—such as titles, descriptions, keywords, summaries, or full transcriptions—to their own videos. The vulnerability effectively exfiltrates private information without authorization.

Impact

Exploitation of this vulnerability leads to unauthorized access and theft of AI-generated metadata and transcriptions from other users' private videos, which can be applied to the attacker's own videos. This not only breaches the confidentiality of private video content but also allows for systematic harvesting of AI responses across the platform, given that response IDs are sequential integers.

Reproduction

To reproduce this vulnerability, an authenticated user with AI permissions can send a request to the 'save.json.php' endpoint, including a victim's AI response ID in the 'id' parameter, along with their own video ID. The endpoint will respond by applying the stolen AI-generated content to the attacker's video. This process can be automated to harvest all AI responses from the victim's private videos.

Remediation

The vulnerability has been patched in version 26.0. Users should update to this version to address the issue.