CVE-2026-56347

MEDIUM 6.1

AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions.

CWE	CWE-79
Vendor	wwbn
Product	avideo
Published	Jun 20, 2026

Stay Ahead of the Next One

Get instant alerts for wwbn avideo

Be the first to know when new medium vulnerabilities affecting wwbn avideo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

WWBN / AVideo

0 ≤ 26.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-gmpc-fxg2-vcmq vulncheck.com: https://www.vulncheck.com/advisories/avideo-topmenu-plugin-stored-cross-site-scripting-via-unescaped-menu-item-fields

Credits

🔍 adrgs aisafe-bot