WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP "on_publish" callback at "plugin/Live/on_publish.php" is accessible without authentication. The "$_POST['name']" parameter (stream key) is interpolated directly into SQL queries in two locations — "LiveTransmitionHistory::getLatest()" and "LiveTransmition::keyExists()" — without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch.