CVE-2026-41304

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier

Description The CloneSite plugin contains a flaw where the 'cloneServer.json.php' endpoint constructs shell commands using the url parameter without proper sanitization. This input is directly concatenated into a wget command executed via the exec() function, enabling command injection. An attacker can use shell metacharacters to execute arbitrary shell commands, leading to Remote Code Execution (RCE), which is the ability to execute any command on the target machine remotely.

Recommendations Update to the version containing commit 473c609fc2defdea8b937b00e86ce88eba1f15bb. As a temporary workaround, restrict access to the 'cloneServer.json.php' endpoint or avoid using the url parameter in the CloneSite plugin until the update is applied.