CVE-2026-50182
published 2026-06-04CVE-2026-50182: WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination # Unauthenticated Reflected XSS via `$_GET['search']` in…
medium
WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination # Unauthenticated Reflected XSS via `$_GET['search']` in AVideo YouTubeAPI Gallery Pagination ## Summary A reflected Cross-Site Scripting vulnerability (CWE-79) in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim follows a crafted URL. The `$_GET['search']` query parameter is concatenated directly into the `href` attribute of two pagination links in `plugin/YouTubeAPI/gallerySection.php` (lines 67 and 74) with no `htmlspecialchars`, no `urlencode`, and no allow-list check. An injected `` element is then extracted by the AVideo Layout plugin and concatenated into a single trailing inline script block at the bottom of the page, where the browser executes it. ## Details `plugin/YouTubeAPI/gallerySection.php` renders the YouTubeAPI plugin's gallery section on the AVideo homepage (and every page that includes `plugin/Gallery/view/mainArea.php`) when the API plugin is enabled with `showGallerySection=true` (the default). The pagination block at lines 67 and 74 builds the previous-page and next-page `` elements by string-interpolating `$_GET['search']` directly: ```php // plugin/YouTubeAPI/gallerySection.php:67 prevPageToken}&search=".(@$_GET['search']); ?>" ...> // plugin/YouTubeAPI/gallerySection.php:74 nextPageToken}&search=".(@$_GET['search']); ?>" ...> ``` The `@` operator only suppresses an undefined-index warning; it does not sanitize the value. A payload like `">alert(1337)` closes the `href` attribute, closes the `` element, and injects a fresh `` tag. Two preconditions gate the sink. First, the YouTube API call must return a pagination token (always true for any non-trivial result set, since the mock or real YouTube response carries `nextPageToken` for multi-page queries). Second, `plugin/Gallery/view/mainArea.php` line 53 wraps the gallery render in `if (!empt
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | 0 – 29.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-04
Published