CVE-2026-33507 Overview
CVE-2026-33507 is a Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo, an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookie_samesite = 'None' for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server.
Critical Impact
Unauthenticated attackers can achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious page, enabling full server compromise through webshell deployment.
Affected Products
- WWBN AVideo versions up to and including 26.0
- AVideo installations using HTTPS with default session cookie configurations
- Self-hosted AVideo instances with administrator accounts
Discovery Timeline
- 2026-03-23 - CVE-2026-33507 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33507
Vulnerability Analysis
This vulnerability represents a chained attack combining two security weaknesses in WWBN AVideo. The root issue stems from the objects/pluginImport.json.php endpoint accepting plugin ZIP file uploads from authenticated administrators without any CSRF token validation. While this alone would typically require an attacker to have admin credentials, the application's cookie configuration creates a critical escalation path.
When AVideo detects an HTTPS connection, it explicitly configures session.cookie_samesite = 'None', which was intentionally implemented to support cross-origin iframe embedding for video players on third-party sites. However, this configuration means that session cookies are sent with cross-origin requests, including those initiated by malicious websites. Since multipart/form-data is a CORS-safelisted Content-Type, browsers will send cross-origin POST requests without requiring an OPTIONS preflight check.
The attack requires user interaction—specifically, an authenticated administrator must visit an attacker-controlled page. When this occurs, the malicious page can automatically submit a form to the vulnerable endpoint, uploading a ZIP file containing a PHP webshell. The server processes this as a legitimate admin request because the session cookie accompanies the cross-origin request.
Root Cause
The vulnerability exists due to missing CSRF token validation on a state-changing endpoint combined with a permissive SameSite=None cookie policy. The plugin import functionality performs authentication checks but does not verify that the request originated from a legitimate user action within the application. CWE-352 (Cross-Site Request Forgery) accurately classifies this weakness.
Attack Vector
The attack is network-based and requires no authentication from the attacker's perspective. The exploitation flow involves:
- Attacker hosts a malicious webpage containing an auto-submitting form targeting the vulnerable endpoint
- The form includes a crafted plugin ZIP file with an embedded PHP webshell
- An authenticated AVideo administrator visits the attacker's page
- The browser automatically submits the form with the admin's session cookie
- The server installs the malicious plugin, deploying the webshell
- Attacker accesses the webshell to execute arbitrary commands on the server
The following patch was applied to implement CSRF protection:
// CSRF protection: require a valid server-issued token.
// multipart/form-data is a CORS-safelisted Content-Type, so browsers send it
// cross-origin without an OPTIONS preflight. With SameSite=None on HTTPS the
// session cookie is also included, making a pure session check insufficient.
if (!isGlobalTokenValid()) {
http_response_code(403);
$obj->msg = "Invalid or missing CSRF token";
die(json_encode($obj));
}
// Validate that a file was actually uploaded
if (!isset($_FILES['input-b1']) || empty($_FILES['input-b1']['name'])) {
$obj->msg = "No file uploaded";
Source: GitHub Commit
The patch also includes documentation explaining the intentional use of SameSite=None:
if ($isHTTPS) {
// SameSite=None is intentional: AVideo supports cross-origin iframe embedding
// where users must stay authenticated (e.g. video players on third-party sites).
// Setting Lax would break that use case. All state-mutating endpoints that are
// vulnerable to CSRF must instead enforce a short-lived globalToken (verifyToken).
ini_set('session.cookie_samesite', 'None');
ini_set('session.cookie_secure', '1');
}
Source: GitHub Commit
Detection Methods for CVE-2026-33507
Indicators of Compromise
- Unexpected PHP files appearing in plugin directories, particularly files with generic names like shell.php, cmd.php, or obfuscated filenames
- Web server logs showing POST requests to objects/pluginImport.json.php with cross-origin Referer or Origin headers
- Newly installed plugins that were not authorized by administrators
- Evidence of webshell activity including unusual PHP process spawning or outbound network connections
Detection Strategies
- Monitor HTTP logs for requests to /objects/pluginImport.json.php where the Origin or Referer header does not match your AVideo domain
- Implement file integrity monitoring on the AVideo plugin directories to detect unauthorized file additions
- Review installed plugins regularly and compare against expected/authorized plugin list
- Configure web application firewall rules to detect webshell patterns in uploaded files
Monitoring Recommendations
- Enable verbose logging for the plugin import functionality and review logs for anomalous upload activity
- Deploy endpoint detection and response (EDR) solutions on servers hosting AVideo to detect post-exploitation activity
- Set up alerts for new PHP file creation within the AVideo installation directory
- Monitor administrator account activity for plugin installations that occur outside normal maintenance windows
How to Mitigate CVE-2026-33507
Immediate Actions Required
- Update WWBN AVideo to a version containing commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 or later
- Audit recently installed plugins for unauthorized or suspicious additions
- Review web server logs for evidence of exploitation attempts
- Educate administrators about the risks of visiting untrusted websites while authenticated to administrative interfaces
Patch Information
WWBN has released a fix in commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3. The patch implements CSRF protection using a global token validation mechanism (isGlobalTokenValid()) for the plugin import endpoint. This ensures that only requests containing a valid server-issued token are processed, effectively preventing cross-origin exploitation. Refer to the GitHub Security Advisory for complete details.
Workarounds
- Restrict network access to the AVideo administrative interface to trusted IP addresses or VPN connections
- Use a separate browser or browser profile for AVideo administration that is not used for general web browsing
- Implement web application firewall rules to block requests to /objects/pluginImport.json.php from external origins
- Consider disabling plugin upload functionality if not required for operations
# Example: Restrict access to plugin import endpoint via .htaccess
<Files "pluginImport.json.php">
Order Deny,Allow
Deny from all
# Allow only from trusted admin IPs
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
