GHSA-gmpc-fxg2-vcmq: AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin

April 1, 2026

The TopMenu plugin renders menu item fields (icon classes, URLs, and text labels) directly into HTML without applying htmlspecialchars() or any other output encoding. Since menu items are rendered on every public page through plugin hooks, a single malicious menu entry results in stored cross-site scripting that executes for every visitor to the site. An admin user who is tricked into saving a crafted menu item (or an attacker who gains admin access) can compromise all site visitors.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-gmpc-fxg2-vcmq
github.com/advisories/GHSA-gmpc-fxg2-vcmq

Code Behaviors & Features

Detect and mitigate GHSA-gmpc-fxg2-vcmq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →