Stored Cross-Site Scripting in AVideo TopMenu Plugin by WWBN
CVE-2026-56347

5.3MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-56347?

The AVideo TopMenu plugin, up to version 26.0, is susceptible to a stored cross-site scripting vulnerability. This arises from the absence of proper output encoding for menu item elements, including icon classes, URLs, and text labels. Malicious actors can exploit this flaw by injecting harmful JavaScript through menu item fields that are not properly escaped. When rendered, this script may execute for all visitors of the site, leading to potential session cookie theft or unauthorized actions.

Affected Version(s)

AVideo 0 <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-g...

vendor-advisory

https://www.vulncheck.com/advisories/avideo-topmenu-plugi...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

adrgs

aisafe-bot

CVE-2026-56347 Data

JSON