wwbn
Web & CMS Pluginscommercial
Top products
Latest CVEs
The 15 most recently published vulnerabilities affecting wwbn.
- CVE-2026-56347AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields6.1
- CVE-2026-45580WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute5.4
- CVE-2026-45578WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL8.8
- CVE-2026-45610WWBN AVideo plugin/LoginControl/set.json.php: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA5.7
- CVE-2026-45619AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post6.5
- CVE-2026-45620AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration5.3
- CVE-2026-45731WWBN AVideo: Authenticated Arbitrary File Read in view/update.php4.9
- CVE-2026-46337WWBN AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`5.3
- CVE-2026-47694WWBN AVideo: Stored XSS via unescaped Gallery category description5.4
- CVE-2026-47696WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint4.3
- CVE-2026-43884WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()7.7
- CVE-2026-43883WWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements4.2
- CVE-2026-43882WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing4.3
- CVE-2026-43881WWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing Guard5.3
- CVE-2026-43880WWBN AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Allows Phishing from Site's Legitimate From Address5.3