wwbn/avideo API plugin allows privilege escalation via unauthenticated sign-up

The set_api_signUp method in the API plugin applies emailVerified, canUpload, canStream, and canCreateMeet parameters from user input to new accounts without verifying a valid APISecret. Any anonymous user who can solve a CAPTCHA can self-grant elevated permissions during registration.

All instances of wwbn/avideo using the API plugin with sign-up enabled. Any anonymous user can bypass email verification and gain upload, stream, and meeting creation privileges.

Apply the recommended fix by wrapping privilege parameter handling in an isAPISecretValid() check, or disable the sign-up API endpoint until patched.