A critical logic error in the WWBN AVideo CustomizeUser plugin results in trivial access control bypass, allowing unauthorized users to access protected channels.

The setPassword.json.php endpoint suffers from a type coercion logic error. When an administrator sets a channel password containing non-numeric characters, the system silently converts the value to the integer 0, which is then stored as the valid credential.

This vulnerability effectively nullifies channel-level privacy and access controls. Any visitor can gain unauthorized access to restricted content by simply providing "0" as the password. With a CVSS score of 9.1, the impact is critical as it leads to the exposure of sensitive or private video content, violating user privacy and potentially breaching data protection regulations.

Immediate Action: Update the AVideo platform to version 26.0 or later immediately to fix the password processing logic.

Proactive Monitoring: Audit the database for channel passwords stored as "0" and force an update for those channels once the software has been patched.

Compensating Controls: Disable the CustomizeUser plugin temporarily if an immediate update is not feasible and channel privacy is a business-critical requirement.

Public Exploit Available: false

The silent coercion of passwords to a guessable default is a high-risk failure of the security implementation. Administrators should prioritize the update to version 26.0. Following the update, a manual review of all password-protected channels is recommended to ensure that access controls are functioning as intended.