WWBN AVideo Cross-Site Request Forgery Vulnerability in Plugin Management Endpoint Allows Disabling Security Plugins

A cross-site request forgery (CSRF) vulnerability has been identified in WWBN AVideo versions through 26.0. The issue resides in the plugin management endpoint, `objects/pluginSwitch.json.php`, which allows administrators to enable or disable installed plugins. While the endpoint verifies admin status, it lacks proper CSRF token validation. Furthermore, the `plugins` database table is excluded from ORM-level security checks, bypassing standard Referer/Origin domain validations. This vulnerability, combined with `SameSite=None` session cookie settings, enables an attacker to disable essential security plugins by tricking an admin into visiting a malicious webpage.

Impact

Exploitation of this vulnerability allows an attacker to disable any AVideo plugin, including critical security plugins that manage two-factor authentication, subscription enforcement, and access control. The attack is conducted silently, without alerting the admin.

Reproduction

To reproduce this vulnerability, an attacker must create a webpage that sends a POST request to the `objects/pluginSwitch.json.php` endpoint, targeting a specific plugin UUID. The request must be made from a context that simulates an active admin session, taking advantage of the missing CSRF validation and the `SameSite=None` cookie policy to disable the targeted plugin.

Remediation

It is recommended to add CSRF token validation to the `objects/pluginSwitch.json.php` endpoint, ensuring that all plugin management actions are protected against cross-site request forgery attacks.