CVE-2026-33507: Remote Code Execution via Cross-Site Request Forgery in WWBN AVideo

WWBN AVideo is an open-source video platform that supports extensibility through a modular plugin architecture. Administrators can upload custom plugins as ZIP archives via the web interface to add new functionality to the application. This mechanism relies on the objects/pluginImport.json.php endpoint to handle the file upload, extraction, and installation processes.

The application versions up to and including 26.0 contain a Cross-Site Request Forgery (CSRF) vulnerability tracked as CVE-2026-33507. This flaw exists because the plugin import endpoint fails to implement standard CSRF protections, such as anti-CSRF tokens or strict Origin header validation. Furthermore, the application's session management configuration actively enables cross-origin requests by setting session cookies with the SameSite=None attribute over HTTPS connections.

When combined with incomplete file validation during the plugin extraction process, this CSRF vulnerability escalates directly to Remote Code Execution (RCE). An attacker can host a specially crafted webpage that automatically submits a malicious plugin archive to the target AVideo instance. If an authenticated administrator visits this page, their browser will seamlessly append their active session cookie to the malicious request, resulting in the server processing the attacker's payload.

The root cause of CVE-2026-33507 stems from a triad of architectural weaknesses: a permissive cookie policy, the absence of state-changing request validation, and insufficient sanitization of uploaded archive contents. The vulnerability initiates within the session configuration defined in objects/include_config.php. The application code explicitly configures the PHP session cookie with ini_set('session.cookie_samesite', 'None'); when an HTTPS connection is detected.

This SameSite=None directive instructs the browser to include the session cookie in all cross-origin requests. While this might be intended to support specific integrations, it fundamentally removes the browser's native defense against CSRF attacks. Consequently, any external website can issue POST requests to the AVideo instance, and the browser will attach the administrator's authentication material.

The second failure occurs in the objects/pluginImport.json.php endpoint. The script verifies the user's authorization by calling User::isAdmin(), which relies entirely on the presence of a valid session cookie. The endpoint does not require an anti-CSRF token, nor does it perform strict validation of the Referer or Origin HTTP headers.

Finally, the plugin extraction logic is flawed. The platform verifies that the main PHP file within the uploaded ZIP archive extends the PluginAbstract class. However, it intentionally permits .php extensions and fails to inspect secondary files within the archive. These secondary files are extracted directly into the web-accessible plugin/ directory, allowing the introduction of arbitrary executable PHP scripts alongside the benign-looking main plugin file.

To understand the mechanical failure, we must examine the configuration and endpoint logic. In objects/include_config.php, the vulnerable session cookie configuration is enforced around line 134. This explicitly disables the browser's default protection mechanisms against cross-site credential inclusion.

if ($isHTTPS) {
    ini_set('session.cookie_samesite', 'None');
    ini_set('session.cookie_secure', '1');
}

The patch introduced in commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 addresses the CSRF vulnerability directly at the endpoint level. The remediation modifies objects/pluginImport.json.php to enforce origin validation and require a cryptographic token. This dual-layered approach prevents automated cross-origin exploitation.

// Patched pluginImport.json.php
require_once '../videos/configuration.php';
allowOrigin(); // Enforces strict origin checking against authorized domains
verifyToken($_POST['globalToken']); // Requires a valid CSRF token bound to the session
 
if (!User::isAdmin()) {
    die('{"error":"Access denied"}');
}

The frontend form located in view/managerPluginUpload.php was concurrently updated to include the necessary globalToken in the submission payload. While this successfully mitigates the CSRF vector, administrators should recognize that the underlying archive extraction behavior remains largely unchanged. The security model now relies entirely on preventing unauthorized users from invoking the upload endpoint, rather than strictly sandboxing the extracted files.

Exploiting this vulnerability requires an attacker to construct a specific plugin archive and deploy a malicious web page. The archive must contain a primary PHP file that successfully bypasses the application's structural validation. This main file simply needs to declare a class extending PluginAbstract and implement the required abstract methods with non-functional dummy data.

Alongside this structural bypass, the attacker includes a secondary PHP file containing the actual payload, typically a web shell. For example, a file named cmd.php containing <?php system($_GET['c']); ?> is packaged into the ZIP archive. Once the AVideo server processes this archive, the cmd.php file is written to the public web directory without any sanitization or execution restrictions.

The delivery mechanism utilizes a hidden asynchronous request executed by the victim's browser. The attacker hosts an HTML page featuring JavaScript that constructs a multipart/form-data payload containing the crafted ZIP archive. The script utilizes the fetch API configured with mode: 'no-cors' and credentials: 'include' to ensure the browser dispatches the request with the victim's PHPSESSID cookie attached.

Upon the administrator rendering the attacker's page, the browser silently transmits the archive to objects/pluginImport.json.php. The AVideo server, recognizing a valid session cookie and encountering no CSRF protections, authenticates the request as the administrator. The server extracts the archive, placing the web shell into the plugin/ directory, which the attacker can subsequently access to execute arbitrary commands.

The successful exploitation of CVE-2026-33507 results in unauthenticated Remote Code Execution (RCE) in the context of the web server user. The CVSS v3.1 vector evaluates to CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, accurately reflecting the severity of the flaw. The vulnerability requires user interaction, specifically targeting an authenticated administrator, which serves as the primary limiting factor for mass exploitation.

Once the web shell is deployed, the attacker gains the ability to execute arbitrary operating system commands. This execution occurs under the privileges of the web application service account, typically www-data or apache. From this position, the attacker possesses complete control over the AVideo application and its underlying data structures.

The attacker can directly read sensitive configuration files, including videos/configuration.php, exposing database credentials and internal cryptographic keys. Access to the database allows for the exfiltration of user data, modification of application content, and potential credential harvesting.

Furthermore, the compromised web server serves as a strategic foothold for lateral movement within the internal network. The attacker can deploy persistent backdoors, escalate privileges on the host operating system utilizing local exploits, or pivot to attack internal infrastructure that is otherwise shielded from the public internet.

Remediation of CVE-2026-33507 requires applying the official patch provided by the WWBN AVideo maintainers. Organizations must update their AVideo deployments to a version incorporating commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3. This patch introduces critical authorization headers and CSRF token validation to the pluginImport.json.php endpoint, successfully neutralizing the attack vector.

If immediate patching is not technically feasible, administrators can apply manual configurations to mitigate the risk. Modifying the objects/include_config.php file to alter the session.cookie_samesite value from None to Lax or Strict will instruct modern browsers to withhold the session cookie during cross-origin requests. This configuration change effectively breaks the CSRF exploit chain.

Administrators should adopt strict operational security practices when managing the AVideo platform. Active sessions should be terminated by explicitly logging out of the administrator panel when management tasks are complete. Administrators must avoid browsing the broader internet or accessing untrusted links while maintaining an active session in the AVideo backend.

Network-level defenses can also provide supplementary protection. Configuring a Web Application Firewall (WAF) to block external POST requests to the /objects/pluginImport.json.php endpoint that lack a valid Origin header matching the AVideo domain adds a layer of defense. Additionally, restricting access to the administrative interfaces via IP whitelisting significantly reduces the exposed attack surface.