AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields

An attacker who gains admin access can save a crafted menu item with malicious payloads in the icon, URL, or text fields, which are rendered unescaped on every public page via plugin hooks [ref_id=1]. Because `menuItemSave.json.php` lacks CSRF token validation, a cross-origin POST from an attacker-controlled page can create the malicious menu item if an admin visits that page while logged in, chaining CSRF with stored XSS [ref_id=1]. The injected JavaScript executes for all site visitors, enabling session cookie theft, phishing redirects, or actions on behalf of authenticated users [CWE-79].

The TopMenu plugin's `HTMLMenuRight.php:24` injects the icon class directly (`<i class="<?php echo $value2['icon'] ?>">`), `HTMLMenuRight.php:40` and `HTMLMenuLeft.php:32` render the URL without encoding, and `index.php:49` echoes the menu item text raw. The `menuItemSave.json.php` endpoint stores these values without sanitization and lacks CSRF token validation.

The advisory recommends applying `htmlspecialchars()` with `ENT_QUOTES` and UTF-8 encoding to all outputs of `$value2['finalURL']`, `$value2['icon']`, and `$menuItem->getText()` in `HTMLMenuRight.php`, `HTMLMenuLeft.php`, `floatMenu.php`, and `index.php` [ref_id=1]. This ensures that any HTML or JavaScript injected into those fields is rendered as harmless text rather than executed by the browser. No patch has been published by the vendor at the time of the advisory.