CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin
In short
WWBN AVideo's CloneSite plugin allows attackers to run arbitrary commands on the server by injecting shell commands through the URL parameter. This happens because user input is directly used in a system command without being checked first.
Technical detail
The cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands by concatenating unsanitized user input (url parameter) into a wget command executed via exec(), enabling command injection. An unauthenticated attacker can inject arbitrary shell metacharacters to break out of the intended URL context and achieve Remote Code Execution with server privileges.
Summary generated and translated by AI from the official description.
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Affected products
WWBN · AVideoWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →