logo

Database

Insufficient data authenticity validation In wwbn/avideo

Description

WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint

Summary

plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter.

The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record.

This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.

Details

Affected file:

plugin/AuthorizeNet/processPayment.json.php

Relevant code:

$amount = isset($_POST['amount']) ? floatval($_POST['amount']) : 0;
$userData = isset($_POST['userData']) ? $_POST['userData'] : [];

if ($amount <= 0) {
    echo json_encode(['error' => 'Invalid amount']);
    exit;
}
...

Vulnerable flow:

    $_POST['amount'] is read from the client.

    The endpoint only checks that the amount is greater than zero.

    The real Authorize.Net charge is not performed.

    $paymentSuccess is hardcoded to true.

    The logged-in user's wallet is credited with the client-supplied amount.

There is no verification of:

    Authorize.Net transaction ID

    payment token

    webhook signature

    pending payment record

    expected server-side amount

    currency

    duplicate transaction/replay state

PoC

Prerequisites:

    AVideo with AuthorizeNet plugin enabled

    YPTWallet plugin enabled

    Attacker has any valid user account

Steps:

    Log in as a low-privileged user.

    Open the wallet page and record the current balance.

    Send the following request with the user's authenticated session cookie:

  curl -i -s -b 'PHPSESSID=<user_session>' \
    -X POST 'https://target.example/plugin/AuthorizeNet/processPayment.json.php' \
    --data 'amount=9999&userData[note]=poc'

    The endpoint returns:

  {"success":true,"result":"Payment processed and wallet updated"}

    Refresh the wallet page.

    The wallet balance is increased by 9999.

No Authorize.Net hosted payment page, card payment, transaction confirmation, webhook, or server-side payment validation is required.

Impact

A normal authenticated user can mint arbitrary wallet balance.

Depending on the target site's configuration, this may allow the attacker to:

    purchase paid videos or subscriptions without payment

    abuse any feature backed by YPTWallet

    transfer fake funds to other users

    manipulate accounting or payout-related workflows

    bypass monetization controls

Recommended fix

    Remove or disable processPayment.json.php if it is obsolete.

    Never credit wallet balance from client-supplied amount alone.

    Use the existing Authorize.Net hosted token / webhook / transaction reconciliation flow.

    Require a verified Authorize.Net transaction ID and server-side amount lookup before calling addBalance().

    Add regression tests proving arbitrary POSTs cannot credit a wallet.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-476962. NVD-2026-476963. OSV-2026-476964. GHSA-9392-pj54-qqf85. GCVE-2026-47696

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf82. https://github.com/WWBN/AVideo/commit/822402444b4db4e9442779c8c789ffe5312b3627

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.