CVE-2026-45610

5.7 MEDIUM

WWBN AVideo is an open source video platform

Published: 2026-05-29 · Last updated: 2026-06-01

Severity and scoring

CVSS: 5.7 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-306, CWE-352

Affected products

Vendor	Product
wwbn	avideo

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:"omit") and disables the victim's 2FA in one request.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45610
[Vendor advisory]https://github.com/WWBN/AVideo/security/advisories/GHSA-3mv2-vmwh-rwfx
[Vendor advisory]https://github.com/WWBN/AVideo/security/advisories/GHSA-3mv2-vmwh-rwfx

Related CVEs

Same vendor

CVE-2026-47696 — WWBN AVideo is an open source video platform (4.3 MEDIUM)
CVE-2026-47694 — WWBN AVideo is an open source video platform (5.4 MEDIUM)
CVE-2026-46337 — WWBN AVideo is an open source video platform (5.3 MEDIUM)
CVE-2026-45731 — WWBN AVideo is an open source video platform (4.9 MEDIUM)
CVE-2026-45620 — WWBN AVideo is an open source video platform (5.3 MEDIUM)

Same CWE

CVE-2026-49043 — Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions (4.7 MEDIUM)
CVE-2026-48518 — MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances (4.3 MEDIUM)
CVE-2018-25437 — WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download... (7.5 HIGH)
CVE-2016-20083 — WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized action... (5.3 MEDIUM)
CVE-2016-20074 — WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorize... (4.3 MEDIUM)