CVE-2026-34613

MEDIUM

AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

Title source: cna

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly available patches.

References (1)

[X_Refsource_Confirm] https://github.com/WWBN/AVideo/security/advisories/GHSA-hqxf-mhfw-rc44

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 3.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (3)

wwbn/avideo < 26.0

wwbn/avideo 0Packagist

WWBN/AVideo <= 26.0

Published Mar 31, 2026

Tracked Since Apr 01, 2026