CVE-2026-33319

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 26.0

Description The uploadVideoToLinkedIn() method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response without proper sanitization. An attacker who can influence the LinkedIn API response—through methods like a Man-in-the-Middle (MITM) attack, a compromised OAuth token, or a compromise of the LinkedIn API itself—could inject arbitrary operating system (OS) commands that would execute with the web server user's privileges. The vulnerability resides in plugin/SocialMediaPublisher/Objects/SocialUploader.php. The vulnerable code is located in the initializeLinkedInUploadSession() method (line 649) and the uploadVideoToLinkedIn() method (lines 711-720). The issue stems from the lack of sanitization of both the uploadUrl and filePath variables before they are concatenated into a shell command using exec(). A malicious URL, such as https://uploads.linkedin.local" ; id ; echo "", could break out of the quoted string and allow for arbitrary command execution. The attack complexity is considered high, as it requires compromising a trusted HTTPS API response from LinkedIn. Successful exploitation could lead to remote code execution, potentially granting an attacker full read access to application source code, configuration files, and any data accessible to the web server process, as well as the ability to modify application files and inject backdoors.

Recommendations Versions prior to 26.0 should be updated to version 26.0 or later. As a minimal fix, sanitize both $uploadUrl and $filePath with escapeshellarg() before interpolation into the shell command. Alternatively, replace the exec() call with PHP's native cURL functions to eliminate the shell execution entirely.