平台
php
组件
wwbn/avideo
修复版本
26.0.1
25.0.1
CVE-2026-33295 describes a stored cross-site scripting (XSS) vulnerability found within the WWBN/AVideo CDN plugin. This vulnerability allows an attacker to inject arbitrary JavaScript code into the application, potentially leading to session hijacking, defacement, or other malicious actions. The vulnerability affects versions of WWBN/AVideo up to and including 25.0, and a fix is available in version 26.0.
The impact of this XSS vulnerability is significant. An attacker who can create or modify video records within the WWBN/AVideo system can inject malicious JavaScript code. When a user visits the download page for a compromised video, this code will execute in their browser. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or even modify the content of the page. The blast radius extends to all users who access the affected download pages, regardless of their privileges or roles within the system. This vulnerability highlights the importance of proper input sanitization and output encoding to prevent XSS attacks.
CVE-2026-33295 was publicly disclosed on 2026-03-19. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability’s nature makes it likely that a POC will emerge. The CVSS score of 7.5 (HIGH) indicates a moderate probability of exploitation. It is not currently listed on CISA KEV.
Organizations using WWBN/AVideo CDN plugin for video delivery, particularly those with user-generated content or where video titles are not strictly controlled, are at risk. Shared hosting environments where multiple users can create video records are especially vulnerable.
• wordpress / composer / npm:
grep -r "echo $video['clean_title']" /var/www/avideo/plugins/cdn/• generic web:
curl -I https://example.com/video/download.php?id=123 | grep -i 'content-type: application/javascript'disclosure
漏洞利用状态
EPSS
0.01% (1% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-33295 is to upgrade WWBN/AVideo to version 26.0 or later, which contains the fix. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious JavaScript code in the 'cleantitle' field. Additionally, carefully review all video records and remove any suspicious entries. Monitor access logs for unusual activity related to video downloads. After upgrading, confirm the fix by creating a test video with a specially crafted 'cleantitle' containing a simple JavaScript payload (e.g., alert('XSS')) and verifying that the payload does not execute when the download page is accessed.
Actualice AVideo a la versión 26.0 o superior. Esta versión corrige la vulnerabilidad XSS almacenada en el plugin CDN. La actualización evitará que atacantes inyecten código JavaScript malicioso a través del título del video.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33295 is a stored cross-site scripting vulnerability in the WWBN/AVideo CDN plugin, allowing attackers to inject JavaScript code via video titles.
You are affected if you are using WWBN/AVideo versions 25.0 or earlier. Upgrade to version 26.0 to mitigate the risk.
Upgrade WWBN/AVideo to version 26.0 or later. As a temporary workaround, implement a WAF rule to filter malicious JavaScript in video titles.
There is no confirmed active exploitation at this time, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official WWBN/AVideo security advisory for detailed information and updates regarding CVE-2026-33295.