CVE-2026-33723: Authenticated SQL Injection in WWBN AVideo Subscription Logic

WWBN AVideo is an open-source video hosting platform that handles user authentication, media streaming, and subscription management. The application exposes multiple JSON-based API endpoints for frontend interaction. Two specific endpoints, /objects/subscribe.json.php and /objects/subscribeNotify.json.php, process user subscription events.

These endpoints accept HTTP POST requests containing user-controlled parameters. The request data maps to a Subscribe object, which manages the database lifecycle for subscription records. The application utilizes a custom database abstraction layer, accessed via the sqlDAL::writeSql method, to execute queries against the backend database.

A vulnerability exists in the implementation of the Subscribe::save() method within objects/subscribe.php. The method constructs SQL query strings by concatenating object properties directly into the query text. This architectural pattern violates CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), creating a direct injection vector.

The vulnerability originates in the application's input processing pipeline for subscription data. When a POST request reaches the target endpoints, the global $_POST array maps directly to the properties of the Subscribe class. The application performs no sanitization or type validation during this initial data binding phase.

The primary injection point is the users_id property. When the Subscribe::save() method executes for a new subscription record, it constructs an INSERT statement. The method concatenates the $this->users_id value, along with other properties, directly into the VALUES clause of the SQL string.

The custom database abstraction layer facilitates this exploitation path. The sqlDAL::writeSql function accepts a single string argument for query execution. When invoked in this manner, it bypasses the prepared statement protections that neutralize SQL metacharacters. The application passes the concatenated string verbatim to the database driver for execution.

The vulnerable implementation in objects/subscribe.php demonstrates the direct concatenation flaw. The save() method builds the query string dynamically. The code snippet below illustrates the vulnerable INSERT statement construction prior to the patch.

public function save()
{
    // ... omitted update logic ...
    } else {
        $this->status = 'a';
        // VULNERABLE CONCATENATION OF $this->users_id
        $sql = "INSERT INTO subscribes ( users_id, email, status, ip, created, modified, subscriber_users_id) VALUES ('{$this->users_id}', '{$this->email}', '{$this->status}', '" . getRealIpAddr() . "', now(), now(), '$this->subscriber_users_id')";
    }
    $saved = sqlDAL::writeSql($sql);
}

The official patch in commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c redesigns the save() method to utilize parameterized queries. The sqlDAL::writeSql method signature changes to accept the query string, a type specification string, and an array of bound values. This architectural change ensures the database driver treats user input strictly as data, preventing SQL execution.

public function save()
{
    // ... omitted update logic ...
    } else {
        $this->status = 'a';
        // PATCHED: Prepared statement with placeholders
        $sql = "INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) VALUES (?, ?, ?, ?, now(), now(), ?)";
        $saved = sqlDAL::writeSql($sql, "isssi", [
            intval($this->users_id),
            (string) $this->email,
            (string) $this->status,
            getRealIpAddr(),
            intval($this->subscriber_users_id),
        ]);
    }
}

The patch introduces strict type casting to reinforce the prepared statements. The intval() function forces the users_id and subscriber_users_id parameters to integer types, while (string) applies to the email and status fields. This defense-in-depth approach eliminates the injection vector entirely within this specific method.

Exploitation of CVE-2026-33723 requires the attacker to possess a valid standard user account on the target WWBN AVideo instance. Authentication is necessary to interact with the subscription endpoints and trigger the vulnerable Subscribe::save() logic. The attacker must possess network access to send HTTP POST requests to /objects/subscribe.json.php.

The attack vector involves sending a crafted POST payload where the user_id parameter contains malicious SQL syntax. The attacker breaks out of the single-quote enclosure within the VALUES clause of the INSERT statement. By supplying a payload such as 1'), (SELECT user FROM users LIMIT 1), 'a', '1.1.1.1', now(), now(), 1)--, the attacker alters the structural integrity of the query.

This payload closes the intended value tuple and initiates a new one, embedding a subquery in place of an expected string parameter. The database executes the subquery and inserts the result into the email column of the newly created subscription record. The attacker retrieves the extracted data by viewing their subscription details or utilizing error-based SQL injection techniques if the application returns database errors in the HTTP response.

The primary security impact of this vulnerability is complete database read access. An authenticated attacker reads arbitrary data from any table accessible to the database user account used by the WWBN AVideo application. This access level permits the exfiltration of sensitive system information and user data.

Targeted exfiltration typically focuses on the users and configurations tables. Attackers extract administrator password hashes, cryptographic salts, API keys for external services, and integration tokens. The compromise of administrator credentials enables privilege escalation, resulting in full administrative control over the application infrastructure.

Integrity impact is categorized as low in the CVSS vector, as the primary injection occurs within an INSERT statement specifically targeting the subscribes table. Direct modification or deletion of arbitrary tables is constrained by the query structure. Availability remains unaffected, as the injection does not disrupt database operations or application routing.