Description
AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.
Published: 2026-06-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an unauthenticated list.json.php endpoint in several payment plugins of AVideo versions up to 26.0 that lacks proper authorization checks. Attackers can perform simple GET requests to reveal all stored payment transaction data, including PayPal tokens, Authorize.Net webhook payloads, and Bitcoin transaction records. The data exposed contains agreement identifiers, user financial records, and API responses, which could allow further fraud or credential theft. This vulnerability is a classic example of Missing Authorization (CWE-862) and results in a confidentiality breach of user financial information.

Affected Systems

All installations of AVideo produced by WWBN that remain at version 26.0 or earlier are vulnerable. The vulnerability is present in the payment plugins’ list.json.php endpoints and affects all customers running those versions.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity flaw. With no EPSS data available and the issue not yet listed in CISA KEV, the exploitation likelihood remains undetermined, but the attack path is straightforward: any external party can issue a GET request to the exposed endpoint without authentication. If the system is reachable over the internet, the vector is network, and the scope is unlimited to all data served by the list.json.php endpoints.

Generated by OpenCVE AI on June 20, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to the latest available release that removes the unauthenticated list.json.php endpoints.
  • Configure network controls (firewall, reverse‑proxy, or access‑control lists) to deny unauthenticated access to the /list.json.php paths in the payment modules until an upgrade is possible.
  • Patch or modify the payment plugins so that every list.json.php endpoint performs proper authorization checks before returning data.
  • Enable and regularly review logs to detect any unauthorized GET attempts to the vulnerable endpoints.

Generated by OpenCVE AI on June 20, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.
Title AVideo - Unauthenticated Access to Payment Log DataTables Endpoints via list.json.php
First Time appeared Wwbn
Wwbn avideo
Weaknesses CWE-862
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T17:24:01.508Z

Reserved: 2026-06-20T13:13:56.012Z

Link: CVE-2026-56341

cve-icon Vulnrichment

Updated: 2026-06-22T17:23:47.098Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:30:02Z

Weaknesses