28 matches found
CVE-2026-33650
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented ...
EUVD-2026-14488
AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion...
GHSA-8X77-F38V-4M5J AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
Summary A user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes Active, Inactive, Unlisted. The roo...
CVE-2026-33650
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented ...
CVE-2026-33650
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented ...
CVE-2026-33650 AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented ...
CVE-2026-33650 AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented ...
CVE-2026-33650
Summary: WWBN AVideo (≤26.0) allows a user with the Videos Moderator permission to perform full video management, including ownership transfer and deletion, despite the permission only enabling publicity changes. Root cause: Permissions::canModerateVideos() is used as the authorization gate for f...
CVE-2026-33650 AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented ...
PT-2026-27172
Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description AVideo is an open source video platform. A user with the "Videos Moderator" permission can escalate privileges to perform full video management operations, including ownership transfer and...
CVE-2025-14947
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxcallbackcreatebunnystreamvideo, ajaxcallbackgetbunnystreamvideo, and ajaxcallbackdeletebunnystreamvideo functions in all versions up to, and including,...
CVE-2025-14947
The CVE-2025-14947 entry concerns the All-in-One Video Gallery WordPress plugin (versions up to 4.6.4). The vulnerability is a missing capability check in ajax_callback_create_bunny_stream_video, ajax_callback_get_bunny_stream_video, and ajax_callback_delete_bunny_stream_video, allowing unauthent...
CVE-2025-14947 All-in-One Video Gallery <= 4.6.4 - Missing Authorization to Unauthenticated Bunny Stream Video Creation/Deletion
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxcallbackcreatebunnystreamvideo, ajaxcallbackgetbunnystreamvideo, and ajaxcallbackdeletebunnystreamvideo functions in all versions up to, and including,...
CVE-2025-14947 All-in-One Video Gallery <= 4.6.4 - Missing Authorization to Unauthenticated Bunny Stream Video Creation/Deletion
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxcallbackcreatebunnystreamvideo, ajaxcallbackgetbunnystreamvideo, and ajaxcallbackdeletebunnystreamvideo functions in all versions up to, and including,...
CVE-2025-7896 harry0703 MoneyPrinterTurbo video.py delete_video path traversal
A vulnerability has been found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this vulnerability is the function downloadvideo/deletevideo of the file app/controllers/v1/video.py. The manipulation leads to path traversal. The attack can be launched remotely...
CVE-2025-7896 harry0703 MoneyPrinterTurbo video.py delete_video path traversal
A vulnerability has been found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this vulnerability is the function downloadvideo/deletevideo of the file app/controllers/v1/video.py. The manipulation leads to path traversal. The attack can be launched remotely...
CVE-2023-5945
The video carousel slider with lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the responsivevideogallerywithlightboxvideomanagementfunc function. This makes it possible for unauthenticated attackers...
video carousel slider with lightbox 1.0 - Cross-Site Request Forgery
Description The video carousel slider with lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the responsivevideogallerywithlightboxvideomanagementfunc function. This makes it possible for unauthenticat...
CVE-2023-5945
The video carousel slider with lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the responsivevideogallerywithlightboxvideomanagementfunc function. This makes it possible for unauthenticated attackers...
Cross site request forgery (csrf)
The video carousel slider with lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the responsivevideogallerywithlightboxvideomanagementfunc function. This makes it possible for unauthenticated attackers...