Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans.
Published: 2026-04-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized wallet balance inflation and subscription fraud
Action: Apply patch
AI Analysis

Impact

This vulnerability occurs in the PayPal IPN version 1 handler (plugin/PayPalYPT/ipn.php) of WWBN AVideo. The handler lacks transaction deduplication, allowing an attacker to replay a legitimate PayPal IPN notification. Each replay inflates the victim's wallet balance and can renew subscription services, resulting in unauthorized financial gain for the attacker. The weakness is a classic replay attack (CWE‑345) and directly affects the integrity of wallet balances and subscription status.

Affected Systems

The affected product is WWBN AVideo, an open‑source video platform. All releases up to and including version 26.0 are vulnerable, because the v1 IPN handler was never updated. Versions 26.1 and later contain the corrected ipnV2.php and webhook.php handlers that perform proper deduplication. Systems still using the old notify_url in PayPal billing plans are at risk.

Risk and Exploitability

The CVSS base score is 6.5, indicating moderate severity. The exploit does not require privileged access; an attacker only needs to send replayed IPN messages to the configured notify_url. Because the vulnerability is driven by a missing server‑side check, it can be executed remotely with minimal effort. The EPSS score is not publicly available, and the issue is not listed in the KEV catalog, so the current likelihood of exploitation is uncertain but potentially significant in environments where the PayPal IPN v1 endpoint is exposed.

Generated by OpenCVE AI on April 7, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to the latest release (26.1 or newer) which includes the fixed ipnV2.php and webhook.php handlers.
  • If an upgrade is not immediately possible, change the PayPal billing plan notify_url to point to ipnV2.php or webhook.php, removing the vulnerable v1 endpoint from exposure.
  • Apply the patch commit 8f53e9d9c6aaa07d51ace30691981edbbfb5ca1c directly if the upgrade path is unavailable.

Generated by OpenCVE AI on April 7, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mmw7-wq3c-wf9p WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
History

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans.
Title WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:23:04.265Z

Reserved: 2026-04-06T21:29:17.350Z

Link: CVE-2026-39366

cve-icon Vulnrichment

Updated: 2026-04-08T19:20:55.351Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:30.510

Modified: 2026-04-22T18:51:32.280

Link: CVE-2026-39366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:46:21Z

Weaknesses