Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-34613 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting wwbn/avideo versions up to 26.0. This flaw allows an attacker to disable critical security plugins within the AVideo platform, potentially compromising user authentication and access controls. The vulnerability stems from insufficient CSRF token validation in the objects/pluginSwitch.json.php endpoint and bypasses ORM-level security checks. A fix is available; upgrading to a patched version is recommended.
The primary impact of CVE-2026-34613 is the ability for an attacker to remotely disable security plugins within the AVideo platform. This can be achieved without requiring prior authentication beyond an active administrator session. The objects/pluginSwitch.json.php endpoint, responsible for plugin management, lacks proper CSRF protection. Furthermore, the explicit listing of the plugins table in ignoreTableSecurityCheck() bypasses ORM-level Referer/Origin domain validation, amplifying the attack surface. The SameSite=None attribute on session cookies further facilitates exploitation by allowing cross-domain requests. Disabling plugins like LoginControl (2FA), subscription enforcement, or access control mechanisms can lead to unauthorized access, data breaches, and complete system compromise. Successful exploitation could result in a significant loss of data integrity and confidentiality.
CVE-2026-34613 was publicly disclosed on 2026-04-01. The vulnerability's severity is currently assessed as MEDIUM (CVSS 6.5). There is no indication of this vulnerability being added to the CISA KEV catalog at this time. The absence of a public proof-of-concept (POC) does not diminish the risk, as the vulnerability's nature makes it relatively straightforward to exploit. Active campaigns targeting this vulnerability are not currently known, but the ease of exploitation warrants proactive mitigation.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34613 is to upgrade to a patched version of wwbn/avideo. Unfortunately, the specific fixed version is not provided. If upgrading immediately is not feasible, consider implementing temporary workarounds. Implement strict input validation and output encoding on all user-supplied data to minimize the risk of CSRF attacks. Consider using a Web Application Firewall (WAF) with CSRF protection rules to block malicious requests. Review and restrict access to the objects/pluginSwitch.json.php endpoint, limiting access to trusted administrators only. Monitor AVideo logs for suspicious activity, particularly requests to disable plugins. After upgrading, confirm the fix by attempting a CSRF attack against the objects/pluginSwitch.json.php endpoint and verifying that the request is rejected.
Update AVideo to a version later than 26.0, where CSRF token validation has been implemented in the objects/pluginSwitch.json.php endpoint. This will prevent an attacker from disabling critical security plugins using CSRF attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34613 is a CSRF vulnerability in wwbn/avideo versions up to 26.0, allowing attackers to disable security plugins.
If you are running wwbn/avideo version 26.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to a patched version of wwbn/avideo. If immediate upgrade is not possible, implement temporary workarounds like WAF rules and input validation.
While there are no confirmed reports of active exploitation, the vulnerability's ease of exploitation warrants proactive mitigation.
Refer to the wwbn/avideo security advisories for the latest information and official guidance on CVE-2026-34613.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.