CVE-2026-43883 - Vulnerability Details

- WWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements

Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix.

Published: 2026-05-11

Score: 4.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An Insecure Direct Object Reference in the PayPalYPT agreementCancel.json.php file permits a low‑privilege authenticated user to cancel any PayPal billing agreement by supplying an arbitrary agreement ID. The code does not verify that the authenticated user owns the agreement, allowing an attacker to silently suspend a victim’s recurring subscription. This results in revenue loss for the platform and discontinuation of paid services for the victim, reflecting a medium impact on confidentiality of billing data and loss of service availability to the affected user.

Affected Systems

All releases of WWBN AVideo up to and including version 29.0 contain the vulnerability. Users of these versions are at risk unless the breach‑fix commit is applied.

Risk and Exploitability

The CVSS score of 4.2 indicates a moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack requires a legitimate, low‑privilege authenticated account and knowledge or acquisition of another user’s PayPal agreement ID, which is an IDOR scenario. The likelihood of exploitation is low but feasible if agreement IDs are exposed or shareable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 29.0`	affected	—

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,29.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch referenced by commit 0da3dcff1eda2f497694bf82b559829471c292c2, which adds ownership verification to the cancellation endpoint
Update your deployment to include the fixed agreementCancel.json.php file and restart the web service
Disable or restrict the cancellation endpoint for existing users until the patch is applied, and monitor logs for unauthorized cancellation attempts

Generated by OpenCVE AI on May 11, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-958h-qp3x-q4gj	AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2
https://github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj

History

Mon, 11 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix.
Title		WWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
Weaknesses		CWE-639
References		https://github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2 https://github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj
Metrics		cvssV3_1 `{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T20:41:40.877Z

Updated: 2026-05-12T16:38:42.688Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43883

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-11T22:22:12.940

Modified: 2026-05-12T18:17:28.380

Link: CVE-2026-43883

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T23:00:19Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object