CVE-2026-34375
Published: 27 March 2026
Summary
CVE-2026-34375 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wwbn Avideo. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates filtering or encoding of the unsanitized 'plugin' parameter when echoed into JavaScript to prevent XSS payload execution.
Requires validation of the 'plugin' parameter from $_REQUEST to block malicious JavaScript injection before it reaches the output stage.
Ensures timely remediation of the specific flaw via patching, as implemented in commit fa0bc102, to eliminate the unsanitized reflection vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary JS execution (incl. credential exfil of username/password hash) via crafted malicious URL requiring user interaction; directly maps to drive-by compromise via phishing link and user execution of malicious link.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not…
more
included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. The same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials. Commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 fixes the issue.
Deeper analysisAI
CVE-2026-34375 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting WWBN AVideo, an open-source video platform, in versions up to and including 26.0. The issue resides in the YPTWallet Stripe payment confirmation page, which directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without encoding or sanitization. This parameter bypasses the framework's input filters defined in `security.php`, allowing raw input to be inserted. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, and potential for scoped confidentiality impact.
An unauthenticated attacker (PR:N) can exploit this by crafting a malicious URL with a payload in the `plugin` parameter and tricking a victim user into visiting it, such as via phishing or social engineering (UI:R). Upon page load, the injected JavaScript executes in the victim's browser context. The same script block outputs the current user's username via `User::getUserName()` and password hash via `User::getUserPass()`, enabling immediate exfiltration of these credentials to an attacker-controlled endpoint.
The GitHub security advisory (GHSA-pm37-62g7-p768) and fixing commit (fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2) detail the patch, which addresses the lack of sanitization on the `plugin` parameter. Security practitioners should upgrade to a version incorporating this commit and review similar unsanitized parameter reflections in payment or user-facing pages.
Details
- CWE(s)