{"uuid": "930acdf4-c087-4aaf-812c-8c7c7d500ac9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-8whc-2wmv-ww35", "type": "seen", "source": "https://gist.github.com/alon710/e4f45dc043ae5511143b6c6428b68699", "content": "# GHSA-8WHC-2WMV-WW35: GHSA-8whc-2wmv-ww35: Unauthenticated Stored DOM-based Cross-Site Scripting in WWBN AVideo YPTSocket Plugin\n\n> **CVSS Score:** 8.8\n> **Published:** 2026-06-04\n> **Full Report:** https://cvereports.com/reports/GHSA-8WHC-2WMV-WW35\n\n## Summary\nAn unauthenticated stored DOM-based Cross-Site Scripting (DOM XSS) vulnerability in the YPTSocket plugin of WWBN AVideo (formerly YouPHPTube) allows remote attackers to execute arbitrary JavaScript within the session context of administrative users. Unsanitized metadata parameters supplied during the WebSocket handshake are persisted in an SQLite database and broadcast to connected users. The frontend application processes these parameters through an unsafe jQuery append sink, leading to silent, high-impact administrative context compromise.\n\n## TL;DR\nUnauthenticated attackers can supply malicious parameters during WebSocket handshakes to trigger stored DOM-based XSS, leading to session hijacking and remote execution of administrative actions in WWBN AVideo.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 8.8\n- **Exploit Status**: Proof of Concept\n- **Impact**: Administrative Session Hijacking / Stored XSS\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- WWBN AVideo platform with the YPTSocket plugin enabled\n- **AVideo**: <= 11.6 (Fixed in: `Commit 8be71e53ccbe9b84b30870db386fb4d2b11e1c16`)\n\n## Mitigation\n\n- Apply the official vendor patch from the WWBN AVideo repository to update `plugin/YPTSocket/MessageSQLiteV2.php`.\n- Implement a robust Content Security Policy (CSP) header restricting the execution of dynamic, inline scripts.\n- Adopt safe DOM manipulation methods in frontend templates by replacing jQuery `.append()` with safe text-binding APIs.\n\n**Remediation Steps:**\n1. Access the WWBN AVideo server host shell and navigate to the AVideo installation directory.\n2. Fetch the latest patches from the upstream repository or apply the diff for commit `8be71e53ccbe9b84b30870db386fb4d2b11e1c16` manually.\n3. Verify that the file `plugin/YPTSocket/MessageSQLiteV2.php` includes the `htmlspecialchars` and `filter_var` sanitization routines.\n4. Restart the ReactPHP WebSocket background process (usually run via supervisor or systemd) to flush the memory database and load the new script logic.\n\n## References\n\n- [GHSA-8WHC-2WMV-WW35 Advisory](https://github.com/WWBN/AVideo/security/advisories/GHSA-8whc-2wmv-ww35)\n- [Vulnerable Server-Side Code Reference](https://github.com/WWBN/AVideo/blob/8be71e53ccbe9b84b30870db386fb4d2b11e1c16/plugin/YPTSocket/MessageSQLiteV2.php)\n- [Vulnerable Client-Side Code Reference](https://github.com/WWBN/AVideo/blob/8be71e53ccbe9b84b30870db386fb4d2b11e1c16/plugin/YPTSocket/script.js)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-8WHC-2WMV-WW35) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T19:11:03.000000Z"}