cbcvebase.
CVE-2026-50182
published 2026-06-04

CVE-2026-50182: WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination # Unauthenticated Reflected XSS via `$_GET['search']` in…

medium
WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination

# Unauthenticated Reflected XSS via `$_GET['search']` in AVideo YouTubeAPI Gallery Pagination

## Summary

A reflected Cross-Site Scripting vulnerability (CWE-79) in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim follows a crafted URL. The `$_GET['search']` query parameter is concatenated directly into the `href` attribute of two pagination links in `plugin/YouTubeAPI/gallerySection.php` (lines 67 and 74) with no `htmlspecialchars`, no `urlencode`, and no allow-list check. An injected `` element is then extracted by the AVideo Layout plugin and concatenated into a single trailing inline script block at the bottom of the page, where the browser executes it.

## Details

`plugin/YouTubeAPI/gallerySection.php` renders the YouTubeAPI plugin's gallery section on the AVideo homepage (and every page that includes `plugin/Gallery/view/mainArea.php`) when the API plugin is enabled with `showGallerySection=true` (the default). The pagination block at lines 67 and 74 builds the previous-page and next-page `` elements by string-interpolating `$_GET['search']` directly:

```php
// plugin/YouTubeAPI/gallerySection.php:67
prevPageToken}&search=".(@$_GET['search']); ?>" ...>

// plugin/YouTubeAPI/gallerySection.php:74
nextPageToken}&search=".(@$_GET['search']); ?>" ...>
```

The `@` operator only suppresses an undefined-index warning; it does not sanitize the value. A payload like `">alert(1337)` closes the `href` attribute, closes the `` element, and injects a fresh `` tag.

Two preconditions gate the sink. First, the YouTube API call must return a pagination token (always true for any non-trivial result set, since the mock or real YouTube response carries `nextPageToken` for multi-page queries). Second, `plugin/Gallery/view/mainArea.php` line 53 wraps the gallery render in `if (!empt

Affected

1 ranges
VendorProductVersion rangeFixed in
wwbnavideo0 – 29.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.