CVE-2026-33507

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 26.1

Description The objects/pluginImport.json.php endpoint in WWBN AVideo allows admin users to upload and install plugin ZIP files containing executable PHP code. This endpoint lacks CSRF protection, and the application is configured to allow cross-origin cookies (session.cookie samesite = 'None') for HTTPS connections. An unauthenticated attacker can exploit this combination by crafting a malicious page that, when visited by an authenticated administrator, silently uploads a plugin containing a PHP webshell, resulting in Remote Code Execution (RCE) on the server. The uploaded ZIP files are extracted to the plugin/ directory. The vulnerability stems from the lack of CSRF protection on the pluginImport.json.php endpoint and the application's configuration allowing cross-origin cookies. The ZIP validation process checks for path traversal and dangerous extensions but does not prevent the upload of PHP files, which are not included in the dangerousExtensions list. The attack bypasses CORS preflight requirements because multipart/form-data is a CORS-safelisted Content-Type. The webshell runs with the web server user's privileges, potentially leading to full server compromise.

Recommendations Versions prior to 26.1: Add CSRF token validation to the objects/pluginImport.json.php endpoint. Versions prior to 26.1: Update the upload form in view/managerPluginUpload.php to include the CSRF token. Versions prior to 26.1: Consider changing SameSite=None to SameSite=Lax if cross-origin cookie inclusion is not essential for application functionality.