プラットフォーム
php
コンポーネント
wwbn/avideo
修正版
26.0.1
26.0.1
CVE-2026-33479 describes a critical Cross-Site Request Forgery (CSRF) vulnerability discovered in the AVideo Gallery plugin for PHP. This flaw allows an attacker to execute arbitrary code on a server if an administrator visits a malicious webpage. The vulnerability impacts versions of the plugin up to 26.0, and a patch is expected to be released by the vendor.
The core of the vulnerability lies within the saveSort.json.php endpoint, which handles sorting of gallery sections. This endpoint directly incorporates unsanitized user-supplied data from the $_REQUEST['sections'] array into PHP's eval() function. While access to this endpoint is restricted to administrators via User::isAdmin(), the lack of CSRF protection is a significant oversight. AVideo's configuration of SameSite=None for session cookies further exacerbates the issue, allowing attackers to forge requests from a different origin. Successful exploitation results in unauthenticated Remote Code Execution (RCE), granting the attacker complete control over the affected server. This is a high-impact vulnerability with the potential for significant data breaches, system compromise, and further lateral movement within the network.
While no public exploits have been released, the vulnerability's ease of exploitation and the potential for RCE make it a high-priority target. The use of eval() with unsanitized user input is a well-known security risk, and the combination with CSRF and SameSite=None cookies significantly increases the attack surface. The vulnerability was publicly disclosed on 2026-03-20. It is recommended to monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Websites utilizing the AVideo Gallery plugin, particularly those with administrator accounts that frequently browse external websites, are at significant risk. Shared hosting environments where multiple websites share the same server are also vulnerable, as a compromise of one website could potentially lead to the compromise of others. Legacy configurations with outdated versions of the plugin are especially susceptible.
• php / wordpress:
grep -r 'eval($_REQUEST' /var/www/html/plugin/Gallery/view/• php / wordpress:
find /var/www/html/plugin/Gallery/view/ -name 'saveSort.json.php' -print• generic web:
curl -I https://your-website.com/plugin/Gallery/view/saveSort.json.php | grep 'SameSite'disclosure
エクスプロイト状況
EPSS
0.14% (34% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-33479 is to upgrade to a patched version of the AVideo Gallery plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests to the saveSort.json.php endpoint or to filter requests containing suspicious patterns in the sections parameter. Restrict administrator access to only necessary resources and enforce strict input validation on all user-supplied data. Monitor server logs for unusual activity, particularly requests to the vulnerable endpoint. After upgrading, confirm the fix by attempting a CSRF attack against the saveSort.json.php endpoint and verifying that the request is rejected.
Actualice AVideo a una versión posterior a la 26.0. La vulnerabilidad se corrige en el commit 087dab8841f8bdb54be184105ef19b47c5698fcb. Esto evitará la inyección de código PHP a través de la función eval() en el plugin Gallery.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33479 is a critical CSRF vulnerability in the AVideo Gallery plugin for PHP, allowing unauthenticated RCE via crafted requests to the saveSort.json.php endpoint.
You are affected if you are using AVideo Gallery plugin versions 26.0 or earlier. Administrators are particularly at risk.
Upgrade to a patched version of the AVideo Gallery plugin as soon as it is available. Implement WAF rules and restrict administrator access as temporary mitigations.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a high-priority target. Monitor security advisories for updates.
Refer to the AVideo project's official website and security advisories for updates and the latest patch information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。