CVE-2023-1869: 
WordPress vulnerability analysis and mitigation

An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. The vulnerability allows authenticated attackers with administrative-level access to perform arbitrary file reads through specially crafted HTTP requests (Talos Intelligence).

The vulnerability stems from insufficient input sanitization in the aVideoEncoder.json.php file's chunkFile parameter. The system allows file paths starting with '/var/www/' and permits the use of '..' directory traversal sequences, enabling access to files outside the intended directory structure. While there is a protection mechanism that blocks access to .php files, other system files remain accessible. The vulnerability has been assigned a CVSSv3 score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) (Talos Intelligence).

The vulnerability allows authenticated attackers to read arbitrary files on the system (except .php files), which could lead to exposure of sensitive information and potentially privilege escalation. Attackers can access system files such as /etc/passwd and other critical configuration files (Talos Intelligence).

The vendor released a patch on December 15, 2023, to address this vulnerability. Users should update to the latest version of WWBN AVideo to mitigate this security issue (Talos Intelligence).