CVE-2026-34613 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: April 1, 2026
WWBN AVideo - Cross Site Request Forgery
Published: March 31, 2026Updated: April 1, 2026PoC AvailableRemote Exploitable
Overview
WWBN AVideo <= 26.0 contains a cross-site request forgery caused by missing CSRF token validation in objects/pluginSwitch.json.php and bypassed ORM security checks, letting attackers disable critical plugins via admin session and crafted requests.
Severity & Score
Severity: Medium
CVSS Score: 6.5
Impact
Attackers can disable critical security plugins by tricking an admin, potentially weakening site security and enabling further attacks.
Mitigation
Update to the latest version once patches are available or implement CSRF token validation and restrict plugin modification endpoints.
Related Resources
Details
- CVE ID
- CVE-2026-34613
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- cross_site_request_forgery
- Status
- confirmed
CWE
- CWE-352
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N