wwbn

207 tracked vulnerabilities.

CVE-2026-56347 MEDIUM
AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields
Jun 20, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-47696 MEDIUM
WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint
May 29, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-47694 MEDIUM
WWBN AVideo: Stored XSS via unescaped Gallery category description
May 29, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-46337 MEDIUM
WWBN AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
May 29, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45731 MEDIUM
WWBN AVideo: Authenticated Arbitrary File Read in view/update.php
May 29, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-45620 MEDIUM
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration
May 29, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45619 MEDIUM
AVideo <= 29.0 - DNS Rebinding SSRF
May 29, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45610 MEDIUM
WWBN AVideo plugin/LoginControl/set.json.php: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
May 29, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-45580 MEDIUM
WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
May 29, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45578 HIGH
WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
May 29, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43885 HIGH
WWBN AVideo: Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
May 11, 2026
EPSS 0.00
CVE-2026-43884 HIGH
WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
May 11, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-43883 MEDIUM
WWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
May 11, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-43882 MEDIUM
WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
May 11, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-43881 MEDIUM
WWBN AVideo <= 29.0 - Unauthenticated User Enumeration
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43880 MEDIUM
WWBN AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Allows Phishing from Site's Legitimate From Address
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43879 MEDIUM
WWBN AVideo: Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
May 11, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-43878 MEDIUM
WWBN AVideo: Reflected XSS in plugin/Meet/iframe.php via Unescaped `user`/`pass` Parameters Reflected into JavaScript String Literal
May 11, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-43877 MEDIUM
WWBN AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Any Logged-in User's Profile Photo with Arbitrary Bytes
May 11, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-43876 MEDIUM
WWBN AVideo: HTML Injection in notifySubscribers.json.php Enables Platform-Branded Phishing Emails to Channel Subscribers
May 11, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-43875 MEDIUM
WWBN AVideo: Password Hash Leaked in MobileManager OAuth Redirect URL Enables Account Takeover
May 11, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-43873 HIGH
WWBN AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
May 11, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-43874 HIGH
WWBN AVideo: Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
May 11, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-41304 CRITICAL
WWBN AVideo vulnerable to RCE caused by clonesite plugin
Apr 22, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-41064 CRITICAL
AVideo <=29.0 test.php URL Handling - Command Injection
Apr 22, 2026
CVSS 9.3
EPSS 0.00