In open‑source video platforms running WWBN AVideo version 26.0 or earlier, a debug endpoint named test.php is exposed to every logged‑in user. The endpoint accepts Stripe‑style payloads and, due to a fault in the retrieveSubscriptions() routine, initiates cancellation of the subscription rather than only retrieving information. An attacker who authenticates to the site can therefore supply any Stripe subscription identifier and cause that subscription to terminate, resulting in irreversible financial loss and service disruption. The weakness is an access‑control flaw that allows authenticated users to execute privileged actions (CWE‑862).

The vulnerability exists in the StripeYPT plugin bundled with WWBN AVideo releases 26.0 through the earliest available versions. Any installation that has not applied a later fix and still includes the test.php debug endpoint is exposed. The flaw is limited to environments where the plugin is active and the debug page is reachable, but the attack does not require elevated administrative privileges—only a logged‑in user account is sufficient.

The CVSS score of 6.5 indicates medium severity, and the EPSS score of less than 1% suggests a currently low probability of exploitation. However, because the vulnerability requires only authentication and no high‑privilege access, it provides a straightforward path to customer‑owned payment accounts for miscreants. The issue is not yet catalogued by CISA as a known exploited vulnerability, but that does not diminish the potential impact for users. Until an official patch is released, organizations should be vigilant for unexplained Stripe cancellations and consider restricting or disabling the affected endpoint.