CVE-2025-36548
A cross-site scripting (xss) vulnerability exists in the LoginWordPress loginForm cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
WWBN AVideo 14.4
WWBN AVideo dev master commit 8a8954ff
AVideo - https://github.com/WWBN/AVideo
8.3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.
The PHP file plugin/LoginWordPress/view/loginForm.php is vulnerable to an XSS issue due to missing sanitization of the cancelUri parameter:
...
<?php
if (!empty($_REQUEST['cancelUri']) && isValidURL($_REQUEST['cancelUri'])) {
?>
<div class="row <?php echo getCSSAnimationClassAndStyle(); ?>">
<div class="col-md-12">
[1] <a href="<?php echo $_REQUEST['cancelUri']; ?>"
class="btn btn-link btn-block"><i class="fas fa-arrow-left"></i> <?php echo __("Cancel"); ?></a>
</div>
</div>
<?php
}
?>
...
The cancelUri parameter is not properly sanitized before being embedded into the page contents [1], resulting in a straightforward reflected cross-site scripting (XSS) vulnerability. An attacker could exploit this flaw to execute malicious actions, such as compromising an administrator account. For instance, an attacker might deceive an administrator into clicking a crafted link that triggers the XSS attack.
Note that the code above becomes accessible only when the LoginWordPress plugin is activated and the “Custom WP Site” field is filled in within the plugin settings. Enabling this configuration provides an alternative login method via a custom WordPress website. The login form displayed for this custom WordPress site is the vulnerable component discussed in this advisory.
Moreover, in order to trigger this vulnerability, the victim must be logged off from AVideo. To do this it’s enough to request https://localhost/logoff before redirecting the user to userLogin.php page.
2025-07-08 - Vendor Disclosure
2025-07-08 - Vendor Patch Release
2025-07-24 - Public Release
Discovered by Claudio Bozzato of Cisco Talos.