Jun 4, 2026·7 min read·10 visits
Unauthenticated attackers can supply malicious parameters during WebSocket handshakes to trigger stored DOM-based XSS, leading to session hijacking and remote execution of administrative actions in WWBN AVideo.
An unauthenticated stored DOM-based Cross-Site Scripting (DOM XSS) vulnerability in the YPTSocket plugin of WWBN AVideo (formerly YouPHPTube) allows remote attackers to execute arbitrary JavaScript within the session context of administrative users. Unsanitized metadata parameters supplied during the WebSocket handshake are persisted in an SQLite database and broadcast to connected users. The frontend application processes these parameters through an unsafe jQuery append sink, leading to silent, high-impact administrative context compromise.
The WWBN AVideo video-sharing platform supports real-time features through its YPTSocket plugin. This plugin utilizes ReactPHP and the Ratchet WebSocket library to establish communication tunnels between browsers and the backend server. These real-time sockets coordinate live-stream viewers, synchronized video playback, and server-to-client notifications. The socket architecture maintains connection lists and tracks metadata for every online user.
To manage connected clients, the YPTSocket service processes incoming connection parameters and registers each connection session. Unauthenticated users can request connection tokens and join the WebSocket daemon. Because the connection registration endpoint does not validate metadata values passed during the handshake, an unauthenticated client can supply arbitrary strings as their location, active page, or page title parameters.
This lack of validation exposes an attack surface where input values are trusted implicitly and written to the application's transient state storage. Because the application broadcasts this metadata to administrative dashboards without sanitization, it establishes a stored DOM-based Cross-Site Scripting (XSS) pathway. This allows unauthenticated external actors to target privileged application users who are viewing dynamic administration control panels.
The core flaw exists within the ingestion logic of the WebSocket server and the corresponding handling routine in the client-side JavaScript engine. When a WebSocket connection handshake occurs, the YPTSocket server parses parameters directly from the connection query string. Specifically, inside plugin/YPTSocket/MessageSQLiteV2.php, the method onOpen extracts the raw HTTP query string via the connection URI and deserializes the parameters into variables.
The server fails to sanitize the input values from webSocketSelfURI and page_title before adding them to the connection state dictionary. The parameter page_title is processed through the standard PHP function utf8_encode(), which standardizes encoding characters to UTF-8 but performs zero neutralization or character validation. Similarly, the webSocketSelfURI value is loaded directly into the client dictionary without filtering or scheme checking. This state dictionary is immediately written to an in-memory SQLite database, which is used to cache user connection records.
The database persistence step renders this vulnerability a stored DOM-based flaw. The ReactPHP event loop periodically reads these entries from SQLite and broadcasts them to all other connected clients. On the frontend, plugin/YPTSocket/script.js processes this broadcast payload dynamically. The client application takes the unescaped strings and dynamically constructs an HTML anchor element inside template literals, inserting them directly into the active browser DOM. Because the frontend relies on the unsafe jQuery .append() function, the browser parses the unescaped payload as active HTML and executes any script contexts embedded within it.
Prior to the patch, the connection metadata processing in plugin/YPTSocket/MessageSQLiteV2.php did not sanitize input parameters before database insertion. The vulnerable assignment logic for the client connection metadata is structured as follows:
// Vulnerable server-side registration logic
if (!empty($wsocketGetVars['webSocketSelfURI'])) {
$client['selfURI'] = $wsocketGetVars['webSocketSelfURI'];
} else {
$client['selfURI'] = $json->selfURI;
}
$client['isCommandLine'] = @$wsocketGetVars['isCommandLine'];
$client['page_title'] = @utf8_encode(@$wsocketGetVars['page_title']);The corresponding client-side display logic in plugin/YPTSocket/script.js processes these parameters in the user interface card builder. The values are concatenated into a string template literal and outputted into the DOM using an unsafe sink:
// Vulnerable client-side DOM manipulation sink
if (userData.page_title) {
textParts.push(userData.page_title);
}
const finalText = textParts.join(' ');
const html = `
<a href="${selfURI}" target="_blank"
class="${className} btn btn-primary btn-sm btn-block mb-1"
data-resource-id="${resourceId}"
data-toggle="tooltip"
title="${tooltip}"
>
<i class="far fa-compass"></i> ${finalText}
</a>`;
$(`#${socketUserDivID} .socketUserPages`).append(html);The use of jQuery's .append() with finalText and selfURI enables immediate injection. If page_title contains HTML markup (e.g., an image tag with an onerror script handler), jQuery parses it as an executable DOM tree element. If selfURI contains quote marks, an attacker can break out of the href attribute context to inject event handlers (e.g., onload, onmouseover) or execute the target script immediately using the javascript: pseudo-protocol scheme.
An attacker can exploit this vulnerability without any prior authentication on the AVideo application. The first prerequisite is obtaining a valid WebSocket token, which the application issues to any visitor, including guest sessions. This token is acquired by querying the public endpoint /plugin/YPTSocket/getWebSocket.json.php.
Once the token is retrieved, the attacker initiates a standard WebSocket connection to the application socket server, appending the injection payload within the connection parameters of the WebSocket handshake query string. The attacker can deliver two distinct vectors within a single connection: an HTML element breakout via the page_title parameter, or a URI-based protocol payload via the webSocketSelfURI parameter.
Once the handshake is completed, the YPTSocket server stores the active connection state containing the unescaped payloads. The server then transmits a NEW_CONNECTION message to all online clients. When any administrative user opens or interacts with an administrative panel that displays active client cards, the client-side JavaScript engine receives the serialized payload and runs .append(). This forces the administrative user's browser to execute the injection code silently, allowing actions like credential harvesting, session hijacking, or automated server modifications.
This vulnerability carries a CVSS score of 8.8 (High Severity), as it allows unauthenticated execution of remote scripting commands inside targeted administrative sessions. The impact of successful exploitation is complete compromise of the affected user's session context. If the targeted user has administrative permissions, the attacker can hijack active browser sessions, steal administrative session tokens, and bypass Multi-Factor Authentication (MFA) via dynamic browser proxying.
Because AVideo is configured to allow administrators to configure system settings, install plugins, and execute command-line shell updates, session hijacking at this tier translates directly to Remote Code Execution (RCE) on the underlying server host. This can be achieved by utilizing the hijacked administrative session to upload a malicious PHP web shell or modify core system execution settings.
Furthermore, this vulnerability acts as a highly reliable attack path because of the stored nature of the payload. The attacker does not need to phish the administrator or trick them into clicking a specific link. The attacker merely connects to the public-facing socket, and the platform delivers the payload to the administrator's dashboard. This completely circumvents traditional client-side mail filters and network-level firewalls that inspect incoming HTTP request bodies.
To remediate this vulnerability, developers must restrict parameters during server-side database insertion and ensure the client-side presentation layer does not evaluate strings as code. The patch applied to plugin/YPTSocket/MessageSQLiteV2.php implements verification logic to validate the structure of the input variables.
The server-side fix filters incoming URI values and encodes text sequences securely. It processes page_title parameters with htmlspecialchars configured with the ENT_QUOTES | ENT_HTML5 flags to sanitize tag delimiters. Additionally, the updated registration handler validates the structure of webSocketSelfURI to ensure it represents a valid URL using FILTER_VALIDATE_URL and matches an allowed HTTPS scheme.
// Patched server-side registration logic
if (!empty($wsocketGetVars['webSocketSelfURI'])) {
$rawURI = $wsocketGetVars['webSocketSelfURI'];
if (filter_var($rawURI, FILTER_VALIDATE_URL) && preg_match('/^https?:\/\//i', $rawURI)) {
$client['selfURI'] = $rawURI;
} else {
$client['selfURI'] = $json->selfURI;
}
} else {
$client['selfURI'] = $json->selfURI;
}
$client['page_title'] = htmlspecialchars((string)@$wsocketGetVars['page_title'], ENT_QUOTES | ENT_HTML5, 'UTF-8');While this server-side sanitization prevents the storage of raw HTML payloads, long-term security relies on updating the frontend script. Developers should refactor client-side code to replace jQuery's unsafe .append() sink with safe, native DOM APIs such as element.textContent or jQuery's safer .text() method to prevent raw strings from being executed as active HTML markup.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
AVideo WWBN | <= 11.6 | Commit 8be71e53ccbe9b84b30870db386fb4d2b11e1c16 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| Attack Vector | Network |
| CVSS v3.1 Score | 8.8 |
| Exploit Status | Proof of Concept |
| Impact | Administrative Session Hijacking / Stored XSS |
| CISA KEV Status | Not Listed |
The software does not neutralize or incorrectly neutralizes user-controlled input before it is placed in output that is used to active web pages.
A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.
An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.
CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.
A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.
CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.
A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.