WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. The same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials. Commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 fixes the issue.
References
| Link | Resource |
|---|---|
| https://github.com/WWBN/AVideo/commit/fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 | Patch |
| https://github.com/WWBN/AVideo/security/advisories/GHSA-pm37-62g7-p768 | Exploit Vendor Advisory |
Configurations
History
31 Mar 2026, 18:48
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Wwbn
Wwbn avideo |
|
| CPE | cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* | |
| References | () https://github.com/WWBN/AVideo/commit/fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 - Patch | |
| References | () https://github.com/WWBN/AVideo/security/advisories/GHSA-pm37-62g7-p768 - Exploit, Vendor Advisory |
27 Mar 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-27 19:16
Updated : 2026-03-31 18:48
NVD link : CVE-2026-34375
Mitre link : CVE-2026-34375
CVE.ORG link : CVE-2026-34375
JSON object : View
Products Affected
wwbn
- avideo
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')