WWBN AVideo Cross-Site Request Forgery Vulnerability in Admin Plugin Configuration

A cross-site request forgery (CSRF) vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the admin plugin configuration endpoint, which lacks CSRF token validation. This vulnerability allows an attacker to forge cross-origin POST requests that overwrite arbitrary plugin settings on a victim administrator's session. The absence of standard table-level access controls for the plugins table further exacerbates the issue, enabling a complete takeover of platform functionality by reconfiguring payment processors, authentication providers, cloud storage credentials, and more.

Impact

Exploitation of this vulnerability allows for unauthorized reconfiguration of any plugin on the AVideo platform, leading to a full platform takeover. This includes hijacking payment processing by redirecting funds to an attacker's account, stealing credentials by redirecting media uploads to attacker-controlled storage, bypassing authentication by manipulating identity provider settings, and installing backdoors through persistent access plugins.

Reproduction

To reproduce this vulnerability, log in to AVideo as an administrator. Then, host an HTML page on an attacker-controlled domain that includes a form targeting the vulnerable admin/save.json.php endpoint. The form should be pre-filled with the plugin name and the desired values to overwrite, such as PayPal receiver email or S3 storage credentials. When the administrator visits the malicious page, the form will automatically submit, applying the changes without their knowledge.

Remediation

It is recommended to add CSRF token validation to the admin/save.json.php endpoint, immediately after the admin check. This can be done by calling isGlobalTokenValid() and verifying the token before processing the request.