logo

Database

Non-encrypted confidential information In wwbn/avideo

Description

AVideo has Plaintext Video Password Storage

Summary

AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext.

Details

File: objects/video.php

Vulnerable setter:

public function setVideo_password($video_password)
{
    AVideoPlugin::onVideoSetVideo_password($this->id, $this->video_password, $video_password);
    $this->video_password = trim($video_password);
}

Vulnerable getter:

public function getVideo_password()
{
    if (empty($this->video_password)) {
        return '';
    }
    return trim($this->video_password);
}

The value assigned to $this->video_password is only trim()-ed before being persisted to the database column video_password in the videos table. There is no call to any hashing function (e.g., password_hash(), sha256, or similar).

When a visitor enters a password to access a protected video, the comparison is done directly against the stored plaintext:

// Comparison at access check:
if ($video->getVideo_password() === $_POST['password']) { ... }

This means:

    Any database read (SQL injection, backup leak, hosting panel access) exposes all video passwords as cleartext.

    Video passwords are often reused by users across other services, making this a credential harvesting risk.

    The plaintext value is also present in application memory and any query logs.

PoC

    Set a password on any video via the AVideo admin/creator UI.

    Query the database: SELECT clean_title, video_password FROM videos WHERE video_password != '';

    All video passwords are returned in plaintext — no cracking required.

Alternatively, exploit any of the SQL injection vulnerabilities already reported in this repository to extract the video_password column directly.

Impact

    Type: Cleartext Storage of Sensitive Information (CWE-312)

    Severity: High

    Authentication required: No — any database read access (including via SQL injection by unauthenticated users) exposes all passwords

    Impact: Full exposure of all video access passwords; credential reuse attacks against users who share passwords across services

    Fix: Hash video passwords on write using password_hash($video_password, PASSWORD_BCRYPT) and verify on read using password_verify($_POST['password'], $stored_hash)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-338672. NVD-2026-338673. OSV-2026-338674. GHSA-363v-5rh8-23wg5. GCVE-2026-33867

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-363v-5rh8-23wg2. https://github.com/WWBN/AVideo/commit/f2d68d2adbf73588ea61be2b781d93120a819e36

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.