CVE-2026-33651: Blind SQL Injection in WWBN AVideo Live Schedule Reminder

WWBN AVideo versions up to and including 26.0 contain a high-severity time-based blind SQL injection vulnerability. The flaw manifests in the Live Schedule Reminder functionality, specifically within the plugin/Live/remindMe.json.php endpoint. This endpoint accepts HTTP requests to configure database-backed reminders for upcoming live streaming events.

The vulnerability is formally classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). An authenticated attacker can supply crafted SQL payloads via the HTTP request parameters. The application processes this input and eventually concatenates it directly into a backend database query without adequate sanitization or parameterization.

Successful exploitation allows an attacker to extract arbitrary data from the underlying relational database. Because the query results are not explicitly returned in the HTTP response body, the attacker relies on time-based inference techniques. This method evaluates boolean conditions by measuring server response delays, allowing the attacker to enumerate database schemas, tables, and sensitive records bit by bit.

The root cause of CVE-2026-33651 is improper input sanitization across multiple function boundaries combined with unsafe string concatenation in the data access layer. The execution flow begins when plugin/Live/remindMe.json.php receives the live_schedule_id parameter from the $_REQUEST array. The application passes this unvalidated string variable directly into the Live::setLiveScheduleReminder() method.

Throughout the function call chain, intermediate methods attempt to sanitize the input but fail to modify the original variable reference. For example, the new Live_schedule($id) constructor applies intval() to cast the input to an integer. However, this casting operation occurs on a distinct local variable within the ObjectYPT::getFromDb() method. The original tainted string, passed into the function hierarchy, remains entirely intact.

The unmodified, tainted string propagates down to the Scheduler_commands::getAllActiveOrToRepeat($type) method. Within this method, the application dynamically constructs a SQL SELECT statement. The vulnerable logic directly concatenates the tainted variable into a LIKE clause without utilizing prepared statements or input validation.

A review of the vulnerable source code pinpoints the exact location of the unsafe string concatenation. In plugin/Scheduler/Objects/Scheduler_commands.php, the getAllActiveOrToRepeat method appends the $type parameter directly to the $sql string variable. The application then passes this string to sqlDAL::readSql(), executing the payload against the database.

// Vulnerable Implementation
$sql = "SELECT * FROM  " . static::getTableName() . " WHERE (status='" . (self::$statusActive) . "' OR status='" . (self::$statusRepeat) . "') ";
if(!empty($type)){
    $sql .= ' AND `type` LIKE "'.$type.'%" ';
}
$res = sqlDAL::readSql($sql);

The patch introduced in commit 75d45780728294ededa1e3f842f95295d3e7d144 addresses the vulnerability through two primary defense mechanisms. First, it enforces early type casting in remindMe.json.php by applying intval() directly to $_REQUEST['live_schedule_id'] before any further processing occurs. This ensures the parameter is strictly numeric at the entry point.

// Patch snippet in remindMe.json.php
+$_REQUEST['live_schedule_id'] = intval($_REQUEST['live_schedule_id']);
 $reminder = Live::setLiveScheduleReminder($_REQUEST['live_schedule_id'], ...);

Second, the patch refactors the getAllActiveOrToRepeat method to utilize parameterized queries. The implementation now defines query structures using positional placeholders (?) and passes the user input via a separate $values array. This separation of code and data prevents the database engine from interpreting malicious input as executable SQL commands.

// Patched Implementation in Scheduler_commands.php
$sql = "SELECT * FROM  " . static::getTableName() . " WHERE (status=? OR status=?) ";
$formats = 'ss';
$values = [self::$statusActive, self::$statusRepeat];
if(!empty($type)){
    $sql .= ' AND `type` LIKE ? ';
    $formats .= 's';
    $values[] = $type . '%';
}
$res = sqlDAL::readSql($sql, $formats, $values);

Exploiting CVE-2026-33651 requires the attacker to hold an authenticated session on the target AVideo instance. The attacker must obtain a valid PHPSESSID cookie to interact with the protected remindMe.json.php endpoint. Network access to the application is the only other prerequisite for launching the attack.

The attack relies on time-based blind SQL injection techniques due to the absence of visible database errors or query results in the HTTP response body. The attacker crafts a payload that breaks out of the intended LIKE clause using quotation marks. The payload then injects a conditional time delay function, such as SLEEP() or BENCHMARK().

curl -b "PHPSESSID=attacker-session-id" \
  "https://target-avideo.com/plugin/Live/remindMe.json.php?live_schedule_id=1%22+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)+AND+%221%22+LIKE+%221"

When the server evaluates the injected condition as true, the database engine executes the sleep command, intentionally delaying the HTTP response. The attacker observes this network latency to infer the truth value of the injected condition. By systematically iterating through database characters and measuring response times, the attacker extracts schemas, tables, and sensitive records continuously.

The exploitation of this vulnerability yields a high severity impact, reflected in the CVSS v3.1 base score of 8.1. The primary consequence is a total loss of database confidentiality. An attacker can systematically exfiltrate all information stored within the AVideo database instance.

This data exposure encompasses sensitive user records, including email addresses, personal details, and password hashes. If the attacker successfully cracks the exfiltrated administrative password hashes, they can escalate their privileges within the application. Administrative access allows the attacker to manipulate platform configurations, modify content, or potentially execute arbitrary code on the underlying server via administrative features.

Integrity is also significantly impacted by this vulnerability. The attacker can modify the injected SQL statements to execute UPDATE or DELETE commands, altering application data or destroying operational records. While availability is not directly targeted by the design of the vulnerability, aggressive time-based exploitation attempts can exhaust server connection pools and degrade application performance.

The primary remediation strategy for CVE-2026-33651 is updating the WWBN AVideo installation to version 26.1 or later. The vendor has provided a comprehensive fix in commit 75d45780728294ededa1e3f842f95295d3e7d144. This update implements both input sanitization at the application edge and parameterized queries within the underlying data access layer.

Organizations unable to apply the patch immediately should implement compensating controls. Web Application Firewall (WAF) rules provide a temporary defense layer. Administrators must configure the WAF to inspect requests targeting /plugin/Live/remindMe.json.php and block common SQL injection signatures, including SLEEP, BENCHMARK, and unbalanced double quotes.

Development teams analyzing this vulnerability should observe the importance of defense-in-depth principles. Relying on downstream functions to sanitize input as a side-effect is an anti-pattern that frequently leads to systemic bypasses. Consistent use of parameterized queries for all database interactions is the only robust defense against SQL injection flaws.