CVE-2026-47696

Published: Mag 29, 2026 Last Modified: Mag 29, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,1
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating
any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.

345

Insufficient Verification of Data Authenticity

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Other
Potential Impacts:
Varies By Context Unexpected State
Applicable Platforms
Technologies: ICS/OT
View CWE Details
https://github.com/WWBN/AVideo/security/advisories/GHSA-939…
https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8
https://github.com/WWBN/AVideo/security/advisories/GHSA-939…
https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8