CVE-2026-35448 - Vulnerability Details

- WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform.

Published: 2026-04-06

Score: 3.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The BlockonomicsYPT plugin’s check.php script returns payment order data for any Bitcoin address without performing authentication checks. The endpoint was intended only for internal AJAX use on a protected invoice page but lacks access control, allowing any requester to obtain transaction records tied to addresses listed on the platform. The weakened confidentiality can expose users’ payment history and potentially sensitive financial information.

Affected Systems

The vulnerability exists in WWBN’s open‑source AVideo platform, affecting all releases 26.0 and earlier. Users running the BlockonomicsYPT plugin on those versions are exposed until they upgrade to later releases where the access restriction is enforced.

Risk and Exploitability

The CVSS score of 3.7 indicates low severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The issue is not listed in the CISA KEV catalog, reinforcing its lower threat standing. The attack vector is a simple HTTP request to the publicly reachable /check.php endpoint, requiring no credentials. An attacker can enumerate any Bitcoin address that appears in the platform’s blockchain view, retrieving its associated payment orders without needing to authenticate or compromise the host system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AVideo to the latest version, which includes proper authentication for the BlockonomicsYPT check.php endpoint.
If an immediate upgrade is not possible, restrict or disable external access to the /check.php script, ensuring it can be reached only from trusted internal sources.

Generated by OpenCVE AI on April 14, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-3v7m-qg4x-58h9	AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9

History

Tue, 14 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wwbn:avideo::::::::

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform.
Title		WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
Weaknesses		CWE-862
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T21:45:01.877Z

Updated: 2026-04-07T15:08:51.870Z

Reserved: 2026-04-02T19:25:52.192Z

Link: CVE-2026-35448

Vulnrichment

Updated: 2026-04-07T14:37:38.702Z

NVD

Status : Analyzed

Published: 2026-04-06T22:16:23.157

Modified: 2026-04-14T19:57:27.693

Link: CVE-2026-35448

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object