MEDIUM 4.3

CVE-2026-47696: WWBN AVideo AuthorizeNet Payment Bypass—Wallet Fraud Vulnerability

WWBN AVideo, an open-source video hosting platform, contains a payment processing vulnerability in versions 29.0 and earlier. When both the AuthorizeNet and YPTWallet plugins are active, any logged-in user can artificially inflate their account wallet balance without actually paying. The vulnerable endpoint accepts a user-supplied amount parameter and immediately credits the wallet without verifying that a real payment transaction occurred through Authorize.Net. This is a financial manipulation flaw that bypasses payment authentication entirely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-345
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in plugin/AuthorizeNet/processPayment.json.php, which implements incomplete payment processing logic. The endpoint accepts a POST parameter for the credit amount, hardcodes $paymentSuccess = true, and directly invokes YPTWallet::addBalance() without performing server-side validation of: Authorize.Net transaction authenticity, webhook cryptographic signatures, hosted payment tokens, nonce values, or any stored payment record. The code contains a TODO comment indicating the Authorize.Net integration was never completed, leaving only the wallet credit function operational. This allows any authenticated user to call the endpoint with arbitrary amount values and receive wallet credits without any corresponding legitimate payment.

Business impact

This vulnerability enables financial fraud within the platform. Authenticated users can generate value (wallet credits) without payment, potentially allowing them to access premium content, services, or features that require paid balance. For operators running AVideo with monetization enabled, this represents direct revenue loss and inventory shrinkage. The impact scales with the number of malicious or compromised user accounts, and organizations depending on subscription or pay-per-view models face both direct financial loss and accounting reconciliation challenges.

Affected systems

WWBN AVideo versions 29.0 and earlier are affected. The vulnerability is only exploitable when both the AuthorizeNet plugin and YPTWallet plugin are simultaneously enabled. Organizations running AVideo without these specific plugins, or with only one of them active, are not impacted by this issue. Administrators should verify their plugin configuration and AVideo version number.

Exploitability

Exploitation requires user authentication (a valid AVideo account), making this a low-barrier attack for any user with platform access. No special privileges, no complex authentication bypass, and no user interaction from victims is required. The attack is trivial to execute: a simple HTTP POST request to the vulnerable endpoint with a chosen amount parameter will immediately credit the attacker's wallet. The only practical barrier is that an attacker must first obtain or create a legitimate user account on the affected system.

Remediation

Upgrade WWBN AVideo to a version later than 29.0 that includes a security patch for this payment processing flaw. Verify the patch against the vendor advisory to confirm the fix includes proper server-side validation of Authorize.Net transactions. As an interim measure, administrators can disable the AuthorizeNet plugin or the YPTWallet plugin—disabling either one will prevent exploitation. However, plugin disabling is not a complete fix and should only serve as a temporary control while patching is planned and deployed.

Patch guidance

Contact WWBN for the latest AVideo release that addresses CVE-2026-47696. When patches become available, apply them to all AVideo instances running versions 29.0 or earlier. Verify that the patched version includes cryptographic validation of payment transactions, webhook signature verification, and server-side payment record correlation before wallet credits are applied. Test the patch in a non-production environment first, particularly if your platform has active monetization or subscription services, to ensure payment processing continues to function correctly.

Detection guidance

Monitor POST requests to plugin/AuthorizeNet/processPayment.json.php for unusual patterns: high-frequency requests, requests with large amount parameters, or requests from users who do not typically use premium features. Log and alert on any wallet balance increments that do not correspond to recorded Authorize.Net transactions. If possible, correlate wallet credit events with your payment processor's transaction logs—credits without corresponding processor records indicate potential exploitation. Review access logs to identify which user accounts have called this endpoint and cross-reference with payment history anomalies.

Why prioritize this

Although the CVSS score is moderate (4.3), this vulnerability should be treated as high-priority for any AVideo operator with monetization enabled. The combination of ease of exploitation (simple HTTP request, only authentication required) and direct financial impact (revenue fraud) makes this more urgent than the base score suggests. Organizations monetizing video content should patch immediately. Non-monetized instances or those without both plugins active have lower risk but should still apply patches as part of routine security hygiene.

Risk score, explained

The CVSS v3.1 score of 4.3 (MEDIUM) reflects the requirement for authentication (PR:L) and network-only access (AV:N) with low attack complexity (AC:L). Integrity impact is rated low (I:L) because the compromise is limited to unauthorized wallet credit manipulation rather than system-wide integrity loss. However, the true business risk is higher for monetized platforms: the score does not fully capture the direct financial loss from fraud or the reputational damage of a payment system that can be trivially bypassed. Organizations should consider their specific monetization model when prioritizing beyond the base score.

Frequently asked questions

Do we need both plugins enabled for this to be exploitable?

Yes. The vulnerability requires both AuthorizeNet and YPTWallet plugins to be active simultaneously. If either plugin is disabled, the vulnerable endpoint cannot be reached or will not function. Check your AVideo admin panel under Plugins to confirm which plugins are currently enabled.

Can unauthenticated users exploit this vulnerability?

No. The attack requires a valid, logged-in AVideo user account. An attacker must first obtain or create an account on your platform. However, if you allow public registration, an attacker can create an account themselves, making this practical to exploit at scale.

Will disabling the plugins completely solve the problem?

Disabling either the AuthorizeNet or YPTWallet plugin will prevent exploitation, but this is only a temporary workaround. You will lose payment functionality if you disable AuthorizeNet, or wallet features if you disable YPTWallet. The proper solution is to upgrade to a patched version of AVideo that implements proper payment validation.

How do we know if we've been exploited?

Look for wallet balance increases that do not match completed Authorize.Net transactions in your payment processor account. Query your AVideo database to identify wallet credit events, then compare against your payment processor's transaction log. Any credits without corresponding processor transactions are suspicious. Also review user account creation dates to see if there was a spike in new accounts coinciding with unauthorized wallet credits.

This analysis is based on the published CVE record and vendor information available as of the publication date. Specific patch version numbers, availability, and exact remediation steps should be verified directly with WWBN through their official advisory or support channels. Organizations should test patches in non-production environments before broad deployment. The severity and priority of this vulnerability may vary depending on your specific AVideo deployment, plugin configuration, and monetization model. This information is provided for informational purposes and does not constitute professional security advice; consult with your security team or a qualified security firm for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).