Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the statsURL parameter in the plugin/Live/test.php endpoint. An administrator can access sensitive internal resources and clou...

GHSA-WXJX-R2J2-96FX AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php

Summary The plugin/Live/test.php endpoint accepts a URL via the statsURL parameter and fetches it server-side using filegetcontents, curlexec, or wget, returning the full response content in the HTML output. The only validation is a trivial regex /^http/ that does not block requests to...

CVE-2018-17074

The Feed Statistics plugin before 4.0 for WordPress has an Open Redirect via the feed-stats-url parameter...

Open redirect

The Feed Statistics plugin before 4.0 for WordPress has an Open Redirect via the feed-stats-url parameter...