プラットフォーム
php
コンポーネント
wwbn/avideo
修正版
26.0.1
26.0.1
CVE-2026-33719 is a high-severity vulnerability affecting the wwbn/avideo CDN plugin, specifically versions up to 26.0. The vulnerability allows unauthenticated attackers to modify the entire CDN configuration through mass assignment. This is due to a bypass in the key validation check when the plugin is enabled but the authentication key is not configured, which defaults to an empty string. A fix is available in a patched version of the plugin.
An attacker exploiting CVE-2026-33719 can gain complete control over the CDN configuration. This includes modifying CDN URLs, storage credentials, and even the authentication key itself. Successful exploitation allows an attacker to redirect traffic, potentially serving malicious content or stealing sensitive data stored by the CDN. The impact extends beyond the immediate plugin, as the CDN configuration often controls access to critical assets. This vulnerability is particularly concerning because it requires no authentication, making it easily exploitable by a wide range of attackers.
Public details of CVE-2026-33719 were disclosed on 2026-03-25. The vulnerability's ease of exploitation, combined with the potential impact, suggests a medium probability of exploitation. No known public proof-of-concept (POC) code has been released as of this writing, but the vulnerability's simplicity makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Organizations using the wwbn/avideo CDN plugin in versions 26.0 and below, particularly those with the plugin enabled but without a configured authentication key, are at significant risk. Shared hosting environments where multiple users share the same plugin installation are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'plugin/CDN/status.json.php' /var/www/html/• generic web:
curl -I <your_cdn_endpoint>/plugin/CDN/status.json.php• generic web:
Check access logs for requests to plugin/CDN/status.json.php or plugin/CDN/disable.json.php without a valid authentication key.
disclosure
エクスプロイト状況
EPSS
0.12% (32% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-33719 is to upgrade to a patched version of the wwbn/avideo CDN plugin. If upgrading immediately is not possible, temporarily disabling the CDN plugin is a viable workaround. As a further precaution, implement strict input validation on all parameters passed to the plugin/CDN/status.json.php and plugin/CDN/disable.json.php endpoints. Monitor access logs for unusual activity targeting these endpoints. After upgrading, confirm the fix by attempting to modify the CDN configuration without providing a valid authentication key; the request should be rejected.
AVideoを26.0より後のバージョンにアップデートしてください。アップデートできない場合は、CDNプラグインを無効にするか、CDNプラグインに安全な認証キーを設定してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33719 is a high-severity vulnerability in the wwbn/avideo CDN plugin that allows unauthenticated attackers to modify CDN configurations due to a bypassed key validation check.
You are affected if you are using wwbn/avideo CDN plugin versions 26.0 and below, especially if the authentication key is not configured.
Upgrade to a patched version of the wwbn/avideo CDN plugin. If immediate upgrade is not possible, disable the plugin temporarily.
While no public exploits are currently known, the vulnerability's simplicity suggests a potential for exploitation.
Refer to the wwbn/avideo project's official website or repository for the latest security advisories and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。