Summary
The setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before being stored. This means that regardless of the intended password, the stored channel password becomes 0, which any visitor can trivially guess to bypass channel-level access control.
Details
The endpoint correctly restricts access to administrators only, but the password value submitted via the ProfilePassword request parameter is processed with intval() before being passed to User::setProfilePassword(). The relevant code is:
$obj->ProfilePassword = intval(@$_REQUEST['ProfilePassword']);
$obj->users_id = $users_id;
$obj->response = User::setProfilePassword($users_id, $obj->ProfilePassword);
The call to intval() on an alphanumeric string such as secretabc123 returns 0. This silently discards the intended password value and stores 0 as the channel password instead. Because the coercion is silent, the administrator receives no error or warning and has no indication that the password they set was not stored correctly. Any visitor to the channel who enters 0 as the password will be granted access, completely defeating the channel password protection feature.
This is not a case where a malicious admin deliberately sets a weak password. The vulnerability causes well-intentioned admins to unknowingly install a trivially guessable password on any channel for which they attempt to configure a non-numeric password.
PoC
curl -s -X POST "https://target.example.com/plugin/CustomizeUser/setPassword.json.php" \
-b "PHPSESSID=<admin_session_cookie>" \
-d "users_id=42&ProfilePassword=secretPassword123"
curl -s -X POST "https://target.example.com/channel_password_check_endpoint" \
-d "users_id=42&password=0"
import requests
base_url = "https://target.example.com"
session = requests.Session()
session.post(f"{base_url}/login", data={"user": "admin", "pass": "adminpass"})
session.post(
f"{base_url}/plugin/CustomizeUser/setPassword.json.php",
data={"users_id": "42", "ProfilePassword": "mySuperSecretPassword"}
)
resp = session.post(
f"{base_url}/plugin/CustomizeUser/setPassword.json.php",
data={"users_id": "42", "ProfilePassword": "0"}
)
print(resp.text)
Impact
Any administrator who sets a channel password using a non-numeric string unknowingly reduces that password to 0. Any unauthenticated or unprivileged user who simply enters 0 as the channel password can access the content that was intended to be protected. This breaks the confidentiality guarantees of the channel password protection feature across all channels managed by administrators who use alphanumeric passwords. The impact is scoped to channel-level access control and does not enable account takeover or privilege escalation, but it renders the password protection feature entirely ineffective for the common case of non-numeric passwords.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-33297? CVE-2026-33297 is a medium-severity security vulnerability in wwbn/avideo (composer), affecting versions <= 25.0. No fixed version is listed yet.
- Which versions of wwbn/avideo are affected by CVE-2026-33297? wwbn/avideo (composer) versions <= 25.0 is affected.
- Is there a fix for CVE-2026-33297? No fixed version is listed for CVE-2026-33297 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-33297 exploitable, and should I be worried? Whether CVE-2026-33297 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33297 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.