WWBN AVideo Stored Cross-Site Scripting Vulnerability in Admin Panel

A stored cross-site scripting vulnerability has been identified in the WWBN AVideo admin panel, affecting versions through 26.0. The issue arises because plugin configuration values are rendered in HTML forms without proper output encoding. The vulnerability can be exploited by injecting arbitrary JavaScript into plugin configuration values, which is executed when an administrator visits the affected page. This vulnerability can be exploited directly by an authenticated admin or by chaining with a cross-site request forgery (CSRF) vulnerability on the 'admin/save.json.php' endpoint, allowing for exploitation without authentication.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting in the AVideo admin panel. This allows an attacker to execute injected JavaScript in the context of an admin user, potentially stealing session cookies and CSRF tokens, creating new admin accounts, modifying site configurations, injecting persistent JavaScript into public-facing pages, or pivoting to server-side code execution via plugin upload functionality.

Reproduction

The vulnerability can be reproduced by storing a cross-site scripting payload in a plugin configuration value through the 'admin/save.json.php' endpoint. This can be done by an authenticated admin user or by exploiting the CSRF vulnerability on the same endpoint. Once the payload is saved, it will execute whenever an admin visits the plugin configuration page.

Remediation

To address this vulnerability, apply 'htmlspecialchars()' to all user-controlled values rendered in 'admin/functions.php'.