126 matches found
GHSA-V4H7-3X43-QQW4 AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
Summary The AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars or any other output encoding. The jsonToFormElements function in admin/functions.php directly interpolates user-controlled values into textarea contents, option elements, and input...
AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
Summary The AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars or any other output encoding. The jsonToFormElements function in admin/functions.php directly interpolates user-controlled values into textarea contents, option elements, and input...
AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
Summary AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin...
CVE-2026-34394
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...
CVE-2026-34396
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars or any other output encoding. The jsonToFormElements function in admin/functions.php directly interpolates...
CVE-2026-34396 AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars or any other output encoding. The jsonToFormElements function in admin/functions.php directly interpolates...
CVE-2026-34396
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars or any other output encoding. The jsonToFormElements function in admin/functions.php directly interpolates...
CVE-2026-34396 AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars or any other output encoding. The jsonToFormElements function in admin/functions.php directly interpolates...
EUVD-2026-17634
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars or any other output encoding. The jsonToFormElements function in admin/functions.php directly interpolates...
CVE-2026-34396
WWBN AVideo (versions 26.0 and earlier) has a stored XSS vulnerability in the admin plugin configuration handling. The jsonToFormElements() function in admin/functions.php directly interpolates user-controlled values into HTML form fields (textarea contents, option elements, and input attributes)...
CVE-2026-34396 AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars or any other output encoding. The jsonToFormElements function in admin/functions.php directly interpolates...
CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...
CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...
PT-2026-29355
Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description The AVideo admin panel does not properly encode plugin configuration values when rendering them in HTML forms. The jsonToFormElements function in admin/functions.php directly interpolates...
WWBN AVideo 跨站请求伪造漏洞
WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the lack of CSRF token verification at the administrator plugin configuration endpoint...
CVE-2025-11725
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the multiple functions in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to modify plugin's configuration settings,...
CVE-2026-1215
The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the mmacalltrackingmenu admin page. This makes it possible for unauthenticated attackers...
WordPress plugin MMA Call Tracking 跨站请求伪造漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
Advantech WISE-DeviceOn Server Cross-Site Scripting Vulnerability (CNVD-2025-3097500)
Advantech WISE-DeviceOn Server is Advantech's next-generation unified device management solution based on the WISE-DeviceOn platform. Advantech WISE-DeviceOn Server suffers from a cross-site scripting vulnerability that originates from the lack of effective filtering and escaping of user-supplied...
CVE-2025-34266
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting XSS vulnerability in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds or edits an AddIns menu entry, the label and path values are stored in plugin configuration data and lat...