CVE-2026-45580

CVE-2026-45580 affects WWBN/AVideo versions 29.0 and earlier, via stored XSS in the Live plugin’s YouTube-style live view. The root cause is that modeYoutubeLive.php renders the live stream key directly into an HTML class attribute without escaping, enabling a canStream user to persist a key cont...

AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute

Summary Type: Stored cross-site scripting. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and...

GHSA-M5J4-7R85-2CJ2 AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute

Summary Type: Stored cross-site scripting. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and...

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of the modeYoutubeLive.php template, where user-supplied input is echoed directly into an HTML class attribute without...

CVE-2026-40907

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...

EUVD-2026-24284

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...

GHSA-GPGP-W4X2-H3H7 WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens

Summary The endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAut...

EUVD-2025-19340

Malicious code in bioql PyPI...

CVE-2025-53261

Cross-Site Request Forgery CSRF vulnerability in macbookandrew WP YouTube Live wp-youtube-live allows Cross Site Request Forgery.This issue affects WP YouTube Live: from n/a through = 1.10.0...

WordPress WP YouTube Live plugin <= 1.10.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Mika in WordPress Plugin WP YouTube Live versions = 1.10.0...

CVE-2025-53261

Cross-Site Request Forgery CSRF vulnerability in macbookandrew WP YouTube Live wp-youtube-live allows Cross Site Request Forgery.This issue affects WP YouTube Live: from n/a through = 1.10.0...

CVE-2025-53261

CVE-2025-53261 affects WordPress plugin WP YouTube Live (macbookandrew). Vulnerability type: Cross-Site Request Forgery (CSRF). Affected versions:

CVE-2025-53261 WordPress WP YouTube Live plugin <= 1.10.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in macbookandrew WP YouTube Live wp-youtube-live allows Cross Site Request Forgery.This issue affects WP YouTube Live: from n/a through = 1.10.0...

WordPress plugin WP YouTube Live 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site reques...

PT-2025-27168 · WordPress · Wp Youtube Live

Name of the Vulnerable Software and Affected Versions: WP YouTube Live versions 1.10.0 and earlier Description: A Cross-Site Request Forgery CSRF issue affects the software, allowing unauthorized requests. Recommendations: For WP YouTube Live versions 1.10.0 and earlier, update to a version that...

CVE-2022-1187

The WordPress WP YouTube Live Plugin is vulnerable to Reflected Cross-Site Scripting via POST data found in the /inc/admin.php file which allows unauthenticated attackers to inject arbitrary web scripts in versions up to, and including, 1.7.21...

CVE-2022-1334

The WP YouTube Live WordPress plugin before 1.8.3 does not validate, sanitise and escape various of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

Join us at InfoSec Jupyterthon 2022

Notebooks are gaining popularity in InfoSec. Used interactively for investigations and hunting or as scheduled processing jobs, notebooks offer plenty of advantages over traditional security operations center SOC tools. Sitting somewhere between scripting/macros and a full-blown development...

CVE-2022-1334

The WP YouTube Live WordPress plugin before 1.8.3 does not validate, sanitise and escape various of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

CVE-2022-1334

The CVE-2022-1334 entry concerns the WordPress WP YouTube Live plugin (versions before 1.8.3). The vulnerability stems from insufficient validation, sanitization, and escaping of multiple settings, enabling Cross-Site Scripting (XSS) by high-privilege users (e.g., admins), even when unfiltered_ht...