CVE-2026-33512

Summary

The API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., view/url2Embed.json.php), so any user can recover protected tokens/metadata. Severity: High.

Details

• Entry: plugin/API/get.json.php is unauthenticated.
• Handler: plugin/API/API.php getapidecryptString() (lines ~5945–5966):

  ```php

  $string = decryptString($_REQUEST['string']);

  return new ApiObject($string, empty($string));

  ```

  No APISecret or user check occurs before decrypting.

• Public ciphertext source: view/url2Embed.json.php returns playLink/playEmbedLink (encryptString(json_encode(...))) to any caller.

PoC

1. Obtain ciphertext:

   ```

   GET /view/url2Embed.json.php?url=https://example.com/video.mp4

   ```

   Copy playLink.

1. Decrypt without auth:

   ```

   POST /plugin/API/get.json.php?APIName=decryptString

   Content-Type: application/x-www-form-urlencoded

   string=<playLink ciphertext>

   ```

   Response contains the plaintext JSON (videoLink, title, users_id, etc.).

Impact

• Any encrypted payload produced by the platform can be decrypted by anyone.
• Leaks tokens/links intended to be confidential; enables replay and tampering where secrecy was assumed.

Mitigation

• Require API secret or authenticated/authorized user for decryptString, or remove the endpoint.
• Prefer one-way signatures (HMAC) instead of exposing generic decryption.
• Rotate encryption keys/salts after patch to invalidate exposed ciphertexts.