Medium severity4.2GHSA Advisory· Published May 11, 2026· Updated May 12, 2026

CVE-2026-43883

Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix.

Affected products

WWBN/AvideoGHSA
Range: <= 29.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-958h-qp3x-q4gjghsaADVISORY
github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2nvd
github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gjnvd
nvd.nist.gov/vuln/detail/CVE-2026-43883ghsa

News mentions

Metasploit Wrap-Up 04/17/2026
Rapid7 Blog · Apr 17, 2026

cvss	0.273
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000