CVE-2025-36548

Vulnerability

The vulnerability exists in the plugin/LoginWordPress/view/loginForm.php file of WWBN AVideo. The cancelUri parameter from $_REQUEST is embedded directly into an anchor tag's href attribute without proper sanitization, despite a call to isValidURL() which does not prevent XSS payloads. This results in a reflected cross-site scripting (XSS) flaw. Affected versions are AVideo 14.4 and the dev master commit 8a8954ff [1].

Exploitation

An attacker can craft a malicious URL containing a JavaScript payload in the cancelUri parameter (e.g., javascript:alert(1) or an encoded script). The attacker then tricks a victim into visiting this URL, for example via a phishing link. No authentication is required, but user interaction (clicking the link) is necessary. The payload is reflected in the page and executed in the victim's browser [1].

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session on the AVideo site. This can lead to data theft (e.g., cookies, session tokens), defacement, or further attacks such as credential harvesting. The CVSS score is 8.3 (High) with a scope change, indicating potential compromise of confidentiality, integrity, and availability [1].

Mitigation

As of the publication date, no official patch or fixed version has been disclosed in the available references. Users should monitor the AVideo repository for updates and consider restricting access to the login form or applying input validation as a temporary workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].