CVE-2026-47694: Stored Cross-Site Scripting in WWBN AVideo Category Descriptions

WWBN AVideo is an open-source web application designed for enterprise video hosting and sharing. The platform utilizes a modular, plugin-based architecture to extend media display capabilities. Within this architecture, the Gallery plugin organizes video content into separate categories. The administration and curation of these categories expose a management interface to authenticated users, creating a persistent administrative attack surface.

The application contains a stored cross-site scripting (XSS) vulnerability, classified as CWE-79, within the handling of category descriptions. An authenticated user possessing permission to create or modify categories can insert malicious JavaScript into the description field. This input is stored in the database and subsequently executed within the security context of any user who visits the affected category or gallery view page.

This vulnerability exists independently of previously remediated cross-site scripting issues within video titles or user comments. It represents a persistent risk to platform administrators and visitors alike, as the stored payload executes automatically without direct interaction other than standard page navigation.

The technical root cause of this vulnerability lies in the complete absence of input validation and output sanitization across the category description data flow. When a user submits a category creation or update request, the input processing script objects/categoryAddNew.json.php accepts the description parameter via HTTP POST without filtering. The value is passed directly to the setDescription method of the Category object.

The setter method in objects/category.php accepts the raw string parameter and binds it directly to the database storage layer. This architecture operates on the assumption that stored data is safe, deferring safety checks to the presentation layer. However, the presentation layer fails to enforce appropriate contextual output encoding, resulting in multiple exploitable injection sinks.

The first critical sink occurs in plugin/Gallery/view/Category.php, where the category description is retrieved and rendered inside a paragraph element. The raw value is processed by the localization function __(), which maps the string to translated language files but returns the raw HTML output when no translation is defined. Because the string is emitted directly via standard PHP echo, the browser interprets injected HTML tags as executable markup.

The second critical sink exists in plugin/Gallery/view/mainAreaCategory.php. The application writes the category description to a hidden div element in the DOM. A jQuery-based alert handler subsequently extracts this content using $("#categoryDescription").html() and injects it dynamically into a modal dialogue box. Because jQuery handles content processed by the .html() method as live DOM nodes rather than plain text, any script tags or event handlers within the stored string execute immediately in the target browser.

A comparative analysis of the patch merged in commit 6a6ff1f5bff1904f91f612db9f0da083295392b1 reveals the developer's remedial methodology. In plugin/Gallery/view/Category.php, the vulnerable code path was replaced to switch from raw output to HTML-purified output:

// VULNERABLE
<p style="margin-left: 10%; margin-right: 10%; max-height: 200px; overflow-x: auto;">
    <?php echo __($category['description']); ?>
</p>
 
// PATCHED
<p style="margin-left: 10%; margin-right: 10%; max-height: 200px; overflow-x: auto;">
    <?php echo $category['description_html']; ?>
</p>

The patched version replaces the unescaped localized output with $category['description_html']. This field leverages AVideo's integrated HTMLPurifier instance, which acts as an input/output sanitizer to strip malicious tags (such as <script>) while preserving benign HTML formatting.

In plugin/Gallery/view/mainAreaCategory.php, the raw database output was wrapped with standard PHP entity encoding and a custom link helper:

// VULNERABLE
<div id="categoryDescription<?php echo $duid; ?>" style="display: none;">
    <?php echo $videos[0]['category_description']; ?>
</div>
 
// PATCHED
<div id="categoryDescription<?php echo $duid; ?>" style="display: none;">
    <?php echo textToLink(htmlentities($videos[0]['category_description'])); ?>
</div>

While this mitigates standard script injection, security researchers must evaluate the completeness of this patch. The use of htmlentities without explicit configuration parameters (specifically, omitting ENT_QUOTES and the charset parameter) defaults to ENT_COMPAT on legacy PHP environments (PHP < 8.1). This default behaviour does not escape single quotes, which can facilitate attribute-level bypasses if the downstream textToLink() implementation wraps HTML attributes in single quotes. Furthermore, if textToLink accepts javascript: or other URI schemes without sanitization, interactive elements containing payloads can still be rendered.

An attacker can exploit this vulnerability by executing a series of coordinated requests. The prerequisite for this attack is an active session with low-level privileges allowing category creation or modification. The attack does not require administrative or system-level roles.

The attacker first crafts a payload designed to trigger execution via standard HTML event handlers. A common proof-of-concept payload uses the onerror attribute of a malformed image element: <img src=x onerror=alert(document.domain)>. The payload is submitted to /objects/categoryAddNew.json.php via a POST request containing the category configuration parameters.

For the stored script to render in the target's browser, the category must contain at least one assigned video, which satisfies the conditional processing checks in the Gallery plugin views. Once the video is assigned, the rendering loop triggers, placing the active payload into the HTML source. When a victim (such as an administrator or general user) visits the Gallery page or category listing, the DOM parser processes the hidden or visible divs, executing the injected script immediately.

The impact of this vulnerability is characterized by a CVSS v3.1 base score of 5.4 (Medium). The attack vector is Network, with Low complexity, requiring Low-privileged user interaction. The scope of the vulnerability is Changed, because execution occurs inside the victim's client browser, bypassing the boundary of the host web application.

Because execution occurs within the security context of the victim's browser session, an attacker can perform actions on behalf of the victim. If an administrative user views the compromised category, the payload can perform administrative actions, such as creating new administrative accounts, modifying application configurations, or uploading malicious plugins to achieve remote code execution.

Additionally, the payload can access browser storage, including non-HttpOnly cookies and local session tokens, leading to session hijacking. The EPSS score of 0.00035 reflects low immediate exploitation in the wild, but the structural simplicity of the exploit ensures that any exposed, unpatched systems remain soft targets for targeted campaigns.

Remediation of CVE-2026-47694 requires upgrading WWBN AVideo to a version released after May 19, 2026, or manually applying the patch from commit 6a6ff1f5bff1904f91f612db9f0da083295392b1. Organizations unable to update immediately should restrict category creation and edit permissions to trusted, verified administrative staff.

For custom deployments, developers should replace weak escaping functions with strong contextual encoding. The recommended defensive approach is to combine HTMLPurifier for formatted text fields with strict output encoding for plain fields. Ensure that any output written to the DOM is processed through htmlspecialchars using the ENT_QUOTES | ENT_HTML5 flags to prevent attribute breakout attacks.

Furthermore, deploying a robust Content Security Policy (CSP) can mitigate the execution of unauthorized inline scripts. Specifying rules such as script-src 'self' prevents the browser from executing arbitrary inline javascript injected through DOM sinks, limiting the impact of stored XSS vulnerabilities.