CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-47696

CVE-2026-47696: Authenticated Wallet Credit Bypass in WWBN AVideo AuthorizeNet Plugin

Amit Schendel
Amit Schendel
Senior Security Researcher

Jun 4, 2026·5 min read·7 visits

Executive Summary (TL;DR)

Authenticated users can inject arbitrary virtual funds into their wallets due to a hardcoded payment success flag and missing API validation in a placeholder endpoint.

An authenticated wallet credit bypass vulnerability exists in WWBN AVideo version 29.0 and earlier. The AuthorizeNet plugin includes an unfinished mockup endpoint, processPayment.json.php, which lacks actual transaction verification and hardcodes success. This allows any authenticated user to credit their wallet with arbitrary balances without making any payments.

Vulnerability Overview

WWBN AVideo is an open-source video platform. The software includes various plugins, including AuthorizeNet for payment processing and YPTWallet for virtual wallet management. In versions 29.0 and earlier, a vulnerable file named processPayment.json.php in the AuthorizeNet plugin is accessible to authenticated users.

This endpoint was intended to serve as a development placeholder or test script but was left active in production releases. Because the endpoint does not perform any actual integration with the Authorize.Net API, it trusts input parameters blindly and modifies user balances without a real-world financial transaction.

The vulnerability is tracked as CVE-2026-47696 and GHSA-9392-pj54-qqf8. Its exploitation allows standard authenticated users to artificially increase their virtual currency balance, bypass paywalls, and access premium site features. The scope remains restricted to systems utilizing both the AuthorizeNet and YPTWallet plugins.

Root Cause Analysis

The root cause of the vulnerability lies in the file plugin/AuthorizeNet/processPayment.json.php. This file accepts a POST request containing an amount parameter and an optional userData parameter.

The script initializes the AuthorizeNet plugin and converts the user-supplied amount into a floating-point number. While the script validates that the amount is greater than zero, it fails to perform any verification with the payment provider. Instead, the actual call to the Authorize.Net API is commented out with a 'TODO' placeholder.

Following the commented-out block, the script sets a local variable $paymentSuccess to true by default. It then retrieves the logged-in user's ID via the global session and uses the addBalance method of the YPTWallet plugin to add the arbitrary amount directly to the user's account. This represents a classic insufficient verification of data authenticity (CWE-345).

Vulnerable vs. Patched Code Analysis

Below is the vulnerable source code as it existed in plugin/AuthorizeNet/processPayment.json.php prior to the patch:

<?php
require_once __DIR__ . '/../../videos/configuration.php';
header('Content-Type: application/json');
$plugin = new AuthorizeNet();
$amount = isset($_POST['amount']) ? floatval($_POST['amount']) : 0;
$userData = isset($_POST['userData']) ? $_POST['userData'] : [];
if ($amount <= 0) {
    echo json_encode(['error' => 'Invalid amount']);
    exit;
}
// TODO: Implement payment logic using Authorize.Net API
// $result = $plugin->chargePayment($amount, $userData);
 
$paymentSuccess = true;
$users_id = @User::getId();
if ($paymentSuccess && !empty($users_id)) {
    $walletPlugin = AVideoPlugin::loadPluginIfEnabled("YPTWallet");
    if ($walletPlugin) {
        $walletPlugin->addBalance($users_id, $amount, 'Authorize.Net one-time payment');
        echo json_encode(['success' => true, 'result' => 'Payment processed and wallet updated']);
        exit;
    }
}

The vulnerability was resolved by completely deleting the processPayment.json.php file in the security fix. Because the file was non-functional and served no business purpose, removing it entirely from the codebase was the most robust remediation strategy, reducing the application's attack surface without introducing complex verification logic.

Exploitation Methodology

Exploitation of this vulnerability requires a valid, authenticated user session on the target AVideo platform. The attacker does not need administrative privileges. The target system must have both the AuthorizeNet and YPTWallet plugins enabled.

An attacker begins by logging into their account to establish a session cookie. They then construct an HTTP POST request targeting /plugin/AuthorizeNet/processPayment.json.php with the parameter amount set to the desired virtual credit.

Upon processing, the server executes the script, evaluates $paymentSuccess as true, and directly credits the database ledger for that user session. The response returns a success message confirming the wallet update.

Impact Assessment

The security impact of CVE-2026-47696 is classified as high integrity violation. An attacker can generate an infinite amount of virtual currency on the platform.

While the CVSS 3.1 base score is 4.3 (due to low integrity impact in the standard matrix where the system itself is not fully compromised), the CVSS 4.0 score of 7.1 reflects the true severity. High integrity impact is achieved because the application's core financial and access control business logic is entirely bypassed.

This virtual balance can be used to purchase premium videos, unlock paid subscription plans, or access other paywalled resources within the target site. This leads to immediate financial loss for content creators and platform operators.

Remediation and Detection

The primary remediation is to upgrade WWBN AVideo to a version released after May 19, 2026, which lacks the vulnerable processPayment.json.php script.

If immediate upgrading is not possible, system administrators can manually delete the file from the server's directory:

rm /var/www/html/AVideo/plugin/AuthorizeNet/processPayment.json.php

To detect potential exploitation, administrators should audit web server logs for any POST requests targeting the affected endpoint. Additionally, database administrators should search the wallet transaction table for rows containing the description 'Authorize.Net one-time payment' and cross-reference them with actual payment gateway records.

Official Patches

WWBNCommit that deletes the vulnerable processPayment.json.php file

Technical Appendix

CVSS Score
7.1/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Probability
0.02%
Top 94% most exploited

Affected Systems

WWBN AVideo version 29.0 and earlier with AuthorizeNet and YPTWallet plugins enabled

Affected Versions Detail

Product
Affected Versions
Fixed Version
AVideo
WWBN
<= 29.0Commit 8224024
AttributeDetail
CWE IDCWE-345
Attack VectorNetwork
CVSS v4.07.1
CVSS v3.14.3
Exploit StatusPoC
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1556Modify Authentication Process
Defense Evasion
CWE-345
Insufficient Verification of Data Authenticity

The software does not sufficiently verify the authenticity of data, allowing an attacker to submit unverified parameters that are trusted implicitly by the system.

Known Exploits & Detection

GitHubSecurity advisory detailing the workflow and impact of the credit bypass.

Vulnerability Timeline

Security patch committed
2026-05-19
Advisory GHSA-9392-pj54-qqf8 published
2026-05-29
CVE-2026-47696 assigned
2026-05-29

References & Sources

  • [1]GitHub Security Advisory GHSA-9392-pj54-qqf8
  • [2]Patch Commit deleting processPayment.json.php

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•1 day ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
8 views•7 min read
•1 day ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
8 views•6 min read
•1 day ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
14 views•7 min read
•1 day ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
7 views•6 min read
•1 day ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
8 views•6 min read
•1 day ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read