A critical SQL injection vulnerability in WWBN AVideo allows unauthenticated attackers to extract sensitive data from the database by bypassing simple character filtering.

The doNotShowCats parameter in objects/category.php is only sanitized by removing single quotes. An unauthenticated attacker can bypass this using backslash escapes to manipulate SQL query boundaries, leading to full SQL injection.

An attacker can exploit this flaw to read sensitive information from the database, including user credentials, configuration settings, and private video metadata. Depending on the database configuration, this could also lead to remote code execution on the database server. The CVSS score of 9.8 highlights the critical risk to data confidentiality and integrity.

Immediate Action: Upgrade WWBN AVideo to version 26.0 or later, which contains the official patch for this vulnerability.

Proactive Monitoring: Review database logs for unusual query patterns or errors involving the categories table and the doNotShowCats parameter.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection enabled to detect and block malicious payloads containing SQL syntax.

Public Exploit Available: No

Immediate upgrading to version 26.0 is the only reliable way to mitigate this risk. Ensure that all application components are regularly audited for similar bypasses of basic sanitization routines.