WWBN AVideo Missing Authentication Vulnerability in CreatePlugin List Endpoint

A vulnerability exists in WWBN AVideo versions through 26.0, where the CreatePlugin template for list.json.php lacks authentication and authorization checks. This oversight allows unauthenticated access to data listing endpoints generated by this template, exposing sensitive information such as user personal identifiable information (PII), payment transaction logs, IP addresses, user agents, and internal system records. While the add.json.php and delete.json.php templates require admin privileges, the list.json.php template was released without such a safeguard. As a result, 21 unauthenticated data listing endpoints across various plugins are affected.

Impact

The vulnerability allows unauthenticated users to access 21 data listing endpoints across AVideo plugins, exposing user PII, payment data, access logs, social connection graphs, and activity records. This systemic issue arises from the CreatePlugin code generation template, which lacks necessary authentication checks, leaving sensitive data vulnerable to unauthorized access.

Reproduction

To reproduce this vulnerability, access any of the 21 affected list.json.php endpoints without authentication. The absence of authentication checks can be verified by the successful retrieval of data from these endpoints. Additionally, the vulnerability can be confirmed by checking the response for sensitive information such as user PII or payment transaction details.

Remediation

To address this vulnerability, add an admin authentication check to the CreatePlugin/templates/list.json.php file, following the pattern used in the add.json.php and delete.json.php templates. After updating the template, retroactively patch all existing generated list.json.php endpoints by adding the same admin check.