CVE-2026-33295

WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The clean title field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page.

At line 59 of the affected file, the following PHP code constructs a JavaScript function call:

downloadURLOrAlertError(url, {}, '<?php echo $video['clean title']; ?>.' + format, progress);

The clean title value is echoed verbatim inside a single-quoted JavaScript string literal. No JavaScript-context escaping is applied, such as wrapping with json encode or htmlspecialchars with appropriate flags. Because the value sits inside a JS string delimited by single quotes, any input containing a single quote character allows an attacker to terminate the string prematurely and inject arbitrary JavaScript expressions. The clean title field is derived from user-supplied video title input, meaning any user with video creation or editing privileges can craft a malicious title. The injected script executes in the security context of whatever user loads the download page for that video, which may include administrators or authenticated users with elevated privileges.

import requests

target = "https://example.com"
login url = f"{target}/user"
upload url = f"{target}/video/addNew"

session = requests.Session()

session.post(login url, data={
  "user[user]": "attacker",
  "user[pass]": "attackerpassword"
})

malicious title = "');alert(document.cookie);//"

session.post(upload url, data={
  "title": malicious title,
  "description": "poc"
})

After the video is created, navigate to:

https://example.com/plugin/CDN/downloadButtons.php?videos id=<TARGET VIDEO ID>

The rendered page will contain:

downloadURLOrAlertError(url, {}, '');alert(document.cookie);//.' + format, progress);

Any user who can create or edit a video can store malicious JavaScript that will execute in the browser of any other user who visits the download page for that video. This includes scenarios where an attacker with a low-privilege account targets administrator sessions. Successful exploitation enables session cookie theft, credential harvesting, and actions performed on behalf of the victim within the application. Because the payload is stored server-side and triggers without further attacker interaction, all users who access download pages for attacker-controlled videos are at risk.