CVE-2026-34394
Published: 31 March 2026
Summary
CVE-2026-34394 is a high-severity CSRF (CWE-352) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires session authenticity mechanisms like CSRF tokens to verify legitimate requests to sensitive admin endpoints, directly preventing forged cross-origin POSTs that overwrite plugin settings.
SI-10 mandates validation of information inputs to external interfaces, ensuring CSRF tokens are checked before processing plugin configuration changes in save.json.php.
CM-5 enforces strict access restrictions and authorization for configuration changes, mitigating unauthorized overwrites of critical plugin settings like payment processors and credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF vulnerability in the public-facing admin/save.json.php endpoint directly enables exploitation of a public-facing application (T1190) by allowing forged requests using the victim's session. The attack requires tricking an administrator into visiting a malicious webpage, which maps to delivery via spearphishing link (T1566.002).
NVD Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's…
more
explicit SameSite=None cookie policy, an attacker can forge cross-origin POST requests from a malicious page to overwrite arbitrary plugin settings on a victim administrator's session. Because the plugins table is included in the ignoreTableSecurityCheck() array in objects/Object.php, standard table-level access controls are also bypassed. This allows a complete takeover of platform functionality by reconfiguring payment processors, authentication providers, cloud storage credentials, and more. At time of publication, there are no publicly available patches.
Deeper analysisAI
CVE-2026-34394 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting WWBN AVideo, an open source video platform, in versions 26.0 and prior. The issue resides in the admin plugin configuration endpoint at admin/save.json.php, which lacks CSRF token validation, with no calls to functions like isGlobalTokenValid() or verifyToken() prior to processing requests. This flaw is exacerbated by the application's explicit SameSite=None cookie policy and the inclusion of the plugins table in the ignoreTableSecurityCheck() array in objects/Object.php, bypassing standard table-level access controls.
An attacker can exploit this vulnerability over the network with low complexity and no required privileges, though it demands user interaction from a victim administrator (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, score 8.1). By tricking an admin into visiting a malicious webpage, the attacker can forge cross-origin POST requests that leverage the victim's session cookies to overwrite arbitrary plugin settings. This enables complete takeover of platform functionality, such as reconfiguring payment processors, authentication providers, and cloud storage credentials.
The GitHub security advisory (GHSA-4wwr-7h7c-chqr) confirms that, at the time of publication on 2026-03-31, no publicly available patches exist for this vulnerability.
Details
- CWE(s)