Jun 4, 2026·5 min read·7 visits
Authenticated users can inject arbitrary virtual funds into their wallets due to a hardcoded payment success flag and missing API validation in a placeholder endpoint.
An authenticated wallet credit bypass vulnerability exists in WWBN AVideo version 29.0 and earlier. The AuthorizeNet plugin includes an unfinished mockup endpoint, processPayment.json.php, which lacks actual transaction verification and hardcodes success. This allows any authenticated user to credit their wallet with arbitrary balances without making any payments.
WWBN AVideo is an open-source video platform. The software includes various plugins, including AuthorizeNet for payment processing and YPTWallet for virtual wallet management. In versions 29.0 and earlier, a vulnerable file named processPayment.json.php in the AuthorizeNet plugin is accessible to authenticated users.
This endpoint was intended to serve as a development placeholder or test script but was left active in production releases. Because the endpoint does not perform any actual integration with the Authorize.Net API, it trusts input parameters blindly and modifies user balances without a real-world financial transaction.
The vulnerability is tracked as CVE-2026-47696 and GHSA-9392-pj54-qqf8. Its exploitation allows standard authenticated users to artificially increase their virtual currency balance, bypass paywalls, and access premium site features. The scope remains restricted to systems utilizing both the AuthorizeNet and YPTWallet plugins.
The root cause of the vulnerability lies in the file plugin/AuthorizeNet/processPayment.json.php. This file accepts a POST request containing an amount parameter and an optional userData parameter.
The script initializes the AuthorizeNet plugin and converts the user-supplied amount into a floating-point number. While the script validates that the amount is greater than zero, it fails to perform any verification with the payment provider. Instead, the actual call to the Authorize.Net API is commented out with a 'TODO' placeholder.
Following the commented-out block, the script sets a local variable $paymentSuccess to true by default. It then retrieves the logged-in user's ID via the global session and uses the addBalance method of the YPTWallet plugin to add the arbitrary amount directly to the user's account. This represents a classic insufficient verification of data authenticity (CWE-345).
Below is the vulnerable source code as it existed in plugin/AuthorizeNet/processPayment.json.php prior to the patch:
<?php
require_once __DIR__ . '/../../videos/configuration.php';
header('Content-Type: application/json');
$plugin = new AuthorizeNet();
$amount = isset($_POST['amount']) ? floatval($_POST['amount']) : 0;
$userData = isset($_POST['userData']) ? $_POST['userData'] : [];
if ($amount <= 0) {
echo json_encode(['error' => 'Invalid amount']);
exit;
}
// TODO: Implement payment logic using Authorize.Net API
// $result = $plugin->chargePayment($amount, $userData);
$paymentSuccess = true;
$users_id = @User::getId();
if ($paymentSuccess && !empty($users_id)) {
$walletPlugin = AVideoPlugin::loadPluginIfEnabled("YPTWallet");
if ($walletPlugin) {
$walletPlugin->addBalance($users_id, $amount, 'Authorize.Net one-time payment');
echo json_encode(['success' => true, 'result' => 'Payment processed and wallet updated']);
exit;
}
}The vulnerability was resolved by completely deleting the processPayment.json.php file in the security fix. Because the file was non-functional and served no business purpose, removing it entirely from the codebase was the most robust remediation strategy, reducing the application's attack surface without introducing complex verification logic.
Exploitation of this vulnerability requires a valid, authenticated user session on the target AVideo platform. The attacker does not need administrative privileges. The target system must have both the AuthorizeNet and YPTWallet plugins enabled.
An attacker begins by logging into their account to establish a session cookie. They then construct an HTTP POST request targeting /plugin/AuthorizeNet/processPayment.json.php with the parameter amount set to the desired virtual credit.
Upon processing, the server executes the script, evaluates $paymentSuccess as true, and directly credits the database ledger for that user session. The response returns a success message confirming the wallet update.
The security impact of CVE-2026-47696 is classified as high integrity violation. An attacker can generate an infinite amount of virtual currency on the platform.
While the CVSS 3.1 base score is 4.3 (due to low integrity impact in the standard matrix where the system itself is not fully compromised), the CVSS 4.0 score of 7.1 reflects the true severity. High integrity impact is achieved because the application's core financial and access control business logic is entirely bypassed.
This virtual balance can be used to purchase premium videos, unlock paid subscription plans, or access other paywalled resources within the target site. This leads to immediate financial loss for content creators and platform operators.
The primary remediation is to upgrade WWBN AVideo to a version released after May 19, 2026, which lacks the vulnerable processPayment.json.php script.
If immediate upgrading is not possible, system administrators can manually delete the file from the server's directory:
rm /var/www/html/AVideo/plugin/AuthorizeNet/processPayment.json.php
To detect potential exploitation, administrators should audit web server logs for any POST requests targeting the affected endpoint. Additionally, database administrators should search the wallet transaction table for rows containing the description 'Authorize.Net one-time payment' and cross-reference them with actual payment gateway records.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N| Product | Affected Versions | Fixed Version |
|---|---|---|
AVideo WWBN | <= 29.0 | Commit 8224024 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-345 |
| Attack Vector | Network |
| CVSS v4.0 | 7.1 |
| CVSS v3.1 | 4.3 |
| Exploit Status | PoC |
| KEV Status | Not Listed |
The software does not sufficiently verify the authenticity of data, allowing an attacker to submit unverified parameters that are trusted implicitly by the system.
A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.
An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.
CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.
A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.
CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.
A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.