Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating
any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.
Published: 2026-05-29
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the AuthorizeNet/processPayment endpoint allows authenticated users to arbitrarily inflate their wallet balance. The endpoint ignores all transaction validation, hardcodes a successful payment flag, and adds the supplied amount directly to the user’s wallet. This flaw provides a clear path to inflate credits without performing any legitimate payment transaction, effectively bypassing financial controls and enabling fraud or abuse of in‑platform services. The weakness is classified as CWE-345, reflecting the misuse of internal system data without proper validation.

Affected Systems

WWBN AVideo versions 29.0 and earlier are affected when both the AuthorizeNet and YPTWallet plugins are enabled and the processPayment.json.php endpoint is accessible to authenticated users. The issue is confined to platforms using these plugins and does not affect earlier migrations or custom deployments that have removed or altered the endpoint.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate risk level, primarily due to the necessity of user authentication and plugin availability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no current public exploits. Attackers require legitimate login credentials and the presence of the vulnerable plugins; from that position, they can repeatedly add funds to their own wallet, compromising the system’s financial integrity.

Generated by OpenCVE AI on May 29, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WWBN AVideo to version 29.1 or later, where the vulnerability is patched.
  • If an update is not immediately possible, disable or remove the AuthorizeNet and YPTWallet plugins to eliminate the backdoor endpoint.
  • Post‑update, verify that the processPayment endpoint now requires server‑side transaction verification and signature validation before affecting wallet balances.

Generated by OpenCVE AI on May 29, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9392-pj54-qqf8 WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint
History

Mon, 01 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Fri, 29 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.
Title WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint
Weaknesses CWE-345
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T14:03:52.153Z

Reserved: 2026-05-19T21:18:20.403Z

Link: CVE-2026-47696

cve-icon Vulnrichment

Updated: 2026-05-29T14:03:36.360Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-29T14:16:32.127

Modified: 2026-06-01T18:38:28.563

Link: CVE-2026-47696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity