Impact
The flaw is an unauthenticated list.json.php endpoint in several payment plugins of AVideo versions up to 26.0 that lacks proper authorization checks. Attackers can perform simple GET requests to reveal all stored payment transaction data, including PayPal tokens, Authorize.Net webhook payloads, and Bitcoin transaction records. The data exposed contains agreement identifiers, user financial records, and API responses, which could allow further fraud or credential theft. This vulnerability is a classic example of Missing Authorization (CWE-862) and results in a confidentiality breach of user financial information.
Affected Systems
All installations of AVideo produced by WWBN that remain at version 26.0 or earlier are vulnerable. The vulnerability is present in the payment plugins’ list.json.php endpoints and affects all customers running those versions.
Risk and Exploitability
The CVSS score of 8.7 classifies this as a high‑severity flaw. With no EPSS data available and the issue not yet listed in CISA KEV, the exploitation likelihood remains undetermined, but the attack path is straightforward: any external party can issue a GET request to the exposed endpoint without authentication. If the system is reachable over the internet, the vector is network, and the scope is unlimited to all data served by the list.json.php endpoints.
OpenCVE Enrichment