CVE-2026-47696: Authenticated Wallet Credit Bypass in WWBN AVideo AuthorizeNet Plugin

WWBN AVideo is an open-source video platform. The software includes various plugins, including AuthorizeNet for payment processing and YPTWallet for virtual wallet management. In versions 29.0 and earlier, a vulnerable file named processPayment.json.php in the AuthorizeNet plugin is accessible to authenticated users.

This endpoint was intended to serve as a development placeholder or test script but was left active in production releases. Because the endpoint does not perform any actual integration with the Authorize.Net API, it trusts input parameters blindly and modifies user balances without a real-world financial transaction.

The vulnerability is tracked as CVE-2026-47696 and GHSA-9392-pj54-qqf8. Its exploitation allows standard authenticated users to artificially increase their virtual currency balance, bypass paywalls, and access premium site features. The scope remains restricted to systems utilizing both the AuthorizeNet and YPTWallet plugins.

The root cause of the vulnerability lies in the file plugin/AuthorizeNet/processPayment.json.php. This file accepts a POST request containing an amount parameter and an optional userData parameter.

The script initializes the AuthorizeNet plugin and converts the user-supplied amount into a floating-point number. While the script validates that the amount is greater than zero, it fails to perform any verification with the payment provider. Instead, the actual call to the Authorize.Net API is commented out with a 'TODO' placeholder.

Following the commented-out block, the script sets a local variable $paymentSuccess to true by default. It then retrieves the logged-in user's ID via the global session and uses the addBalance method of the YPTWallet plugin to add the arbitrary amount directly to the user's account. This represents a classic insufficient verification of data authenticity (CWE-345).

Below is the vulnerable source code as it existed in plugin/AuthorizeNet/processPayment.json.php prior to the patch:

<?php
require_once __DIR__ . '/../../videos/configuration.php';
header('Content-Type: application/json');
$plugin = new AuthorizeNet();
$amount = isset($_POST['amount']) ? floatval($_POST['amount']) : 0;
$userData = isset($_POST['userData']) ? $_POST['userData'] : [];
if ($amount <= 0) {
    echo json_encode(['error' => 'Invalid amount']);
    exit;
}
// TODO: Implement payment logic using Authorize.Net API
// $result = $plugin->chargePayment($amount, $userData);
 
$paymentSuccess = true;
$users_id = @User::getId();
if ($paymentSuccess && !empty($users_id)) {
    $walletPlugin = AVideoPlugin::loadPluginIfEnabled("YPTWallet");
    if ($walletPlugin) {
        $walletPlugin->addBalance($users_id, $amount, 'Authorize.Net one-time payment');
        echo json_encode(['success' => true, 'result' => 'Payment processed and wallet updated']);
        exit;
    }
}

The vulnerability was resolved by completely deleting the processPayment.json.php file in the security fix. Because the file was non-functional and served no business purpose, removing it entirely from the codebase was the most robust remediation strategy, reducing the application's attack surface without introducing complex verification logic.

Exploitation of this vulnerability requires a valid, authenticated user session on the target AVideo platform. The attacker does not need administrative privileges. The target system must have both the AuthorizeNet and YPTWallet plugins enabled.

An attacker begins by logging into their account to establish a session cookie. They then construct an HTTP POST request targeting /plugin/AuthorizeNet/processPayment.json.php with the parameter amount set to the desired virtual credit.

Upon processing, the server executes the script, evaluates $paymentSuccess as true, and directly credits the database ledger for that user session. The response returns a success message confirming the wallet update.

The security impact of CVE-2026-47696 is classified as high integrity violation. An attacker can generate an infinite amount of virtual currency on the platform.

While the CVSS 3.1 base score is 4.3 (due to low integrity impact in the standard matrix where the system itself is not fully compromised), the CVSS 4.0 score of 7.1 reflects the true severity. High integrity impact is achieved because the application's core financial and access control business logic is entirely bypassed.

This virtual balance can be used to purchase premium videos, unlock paid subscription plans, or access other paywalled resources within the target site. This leads to immediate financial loss for content creators and platform operators.

The primary remediation is to upgrade WWBN AVideo to a version released after May 19, 2026, which lacks the vulnerable processPayment.json.php script.

If immediate upgrading is not possible, system administrators can manually delete the file from the server's directory:

rm /var/www/html/AVideo/plugin/AuthorizeNet/processPayment.json.php

To detect potential exploitation, administrators should audit web server logs for any POST requests targeting the affected endpoint. Additionally, database administrators should search the wallet transaction table for rows containing the description 'Authorize.Net one-time payment' and cross-reference them with actual payment gateway records.