Security Advisory - Published 2026-06-22 - AVideo

AVideo CVE batch: check Meet, payment plugins, users, and logs

This batch affects AVideo installs that expose payment plugins, the Meet plugin, message handling, or Live plugin features. Patch first. Then review user sessions, recorded-video uploads, payment records, outbound requests, and server logs around the disclosure window.

Defensive scope: use this guide only for systems you own or are approved to review. It avoids request paths and exploit steps.

Affected AVideo items

CVEAffectedReviewCVSS
CVE-2026-56345through 29.0Meet plugin settings, recorded-video uploads, user sessions, and admin logins9.2
CVE-2026-56341through 26.0payment plugin logs, PayPal or Authorize.Net records, and Bitcoin transaction records8.7
CVE-2026-56346through 25.0message plugin usage, server logs, and unusual resource spikes6.9
CVE-2026-56342through 27.0Live plugin settings, outbound requests, and admin activity6.8

Owner self-check

grep -Rni 'AVideo\\|Meet\\|PayPal\\|Authorize\\|Bitcoin\\|PGP\\|Live' . --include='*.php' --include='*.json' --include='*.log'
find . -type f -mtime -10 | egrep '\\.php$|\\.phtml$|\\.phar$|\\.zip$|\\.sql$|\\.mp4$|\\.log$'
find videos cache objects tmp upload -type f -mtime -10 2>/dev/null
grep -Rni 'login\\|session\\|payment\\|upload\\|error\\|warning' videos logs storage 2>/dev/null

What to review

  • Unexpected admin or user sessions, changed passwords, and new users.
  • Recorded-video uploads, recent media files, and files written outside normal media paths.
  • Payment plugin logs, gateway tokens, webhook records, and transaction exports.
  • Outbound requests from the server and access to internal services during the exposure window.
  • Message plugin use and resource spikes tied to unauthenticated requests.

Safe fix path

  1. Upgrade AVideo to a fixed release or disable exposed plugins until the vendor fix is installed.
  2. Preserve web, PHP, AVideo, payment, and system logs before cleanup.
  3. Rotate admin, database, payment gateway, webhook, and API credentials if suspicious access is found.
  4. Review file ownership and remove unexpected PHP files before bringing the site back to normal traffic.

Repair help

Use Ping7 CVE Repair when AVideo had public plugins enabled, payment logs were exposed, users changed, or upload paths contain files that are hard to explain.

References

Author: Ping7 security team - Published: 2026-06-22 - AVideo CVE batch - Defensive self-check only.