平台
php
组件
wwbn/avideo
修复版本
26.0.1
25.0.1
CVE-2026-33297 is a critical vulnerability affecting wwbn/avideo versions up to 25.0. This flaw resides within the setPassword.json.php endpoint of the CustomizeUser plugin, allowing attackers to bypass channel-level access controls. Due to a flawed password processing mechanism, any non-numeric characters in the submitted password are silently converted to zero, effectively granting unauthorized access to any channel. A fix is available in version 26.0.
The impact of CVE-2026-33297 is significant. An attacker can leverage this vulnerability to bypass channel-level access controls within wwbn/avideo. By exploiting this flaw, an attacker can effectively impersonate any user and gain unauthorized access to restricted content or functionality. This could lead to data breaches, unauthorized modifications, or disruption of services. The ease of exploitation – simply submitting a non-numeric password – makes this a high-risk vulnerability, particularly for systems with sensitive channel-protected content. The lack of proper input validation and sanitization is the root cause, allowing malicious input to bypass intended security measures.
CVE-2026-33297 was publicly disclosed on 2026-03-19. There are currently no known public proof-of-concept exploits available, but the simplicity of the vulnerability suggests that one could be developed quickly. Its severity and ease of exploitation make it a potential target for opportunistic attackers. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations using wwbn/avideo versions 25.0 and earlier, particularly those relying on channel-level access controls to protect sensitive content, are at significant risk. Shared hosting environments where multiple users share the same instance of wwbn/avideo are especially vulnerable, as an attacker compromising one user account could potentially bypass channel access for other users.
• wordpress / composer / npm:
grep -r 'setPassword.json.php' /var/www/avideo/• generic web:
curl -I http://your-avideo-site.com/api/customizeuser/setPassword.json.php?user_id=1&password=a• generic web:
Check access logs for requests to /api/customizeuser/setPassword.json.php with non-numeric passwords.
disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-33297 is to upgrade to wwbn/avideo version 26.0 or later, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the underlying logic flaw, strict input validation on the setPassword.json.php endpoint can help. Specifically, reject any password submissions containing non-numeric characters. Monitor access logs for unusual password reset attempts. After upgrading, confirm the fix by attempting to set a password containing non-numeric characters; the operation should fail with an appropriate error message, and the password should not be set to '0'.
Actualice AVideo a la versión 26.0 o superior. Esta versión contiene una solución para la vulnerabilidad IDOR que permite a los administradores establecer la contraseña del canal de cualquier usuario, lo que podría permitir el acceso no autorizado.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33297 is a critical vulnerability in wwbn/avideo versions up to 25.0 that allows attackers to bypass channel access controls by setting any user's password to '0' due to flawed password processing.
You are affected if you are using wwbn/avideo versions 25.0 or earlier. Upgrade to version 26.0 to mitigate the risk.
Upgrade to wwbn/avideo version 26.0 or later. As a temporary workaround, implement strict input validation to reject non-numeric passwords.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity makes it a potential target.
Refer to the wwbn/avideo security advisories on their official website or GitHub repository for the latest information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。