Medium severity4.3NVD Advisory· Published May 29, 2026· Updated Jun 1, 2026
CVE-2026-47696
CVE-2026-47696
Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
WWBN/AVideoPackagist | <= 29.0 | — |
Affected products
3Patches
Vulnerability mechanics
References
4- github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-9392-pj54-qqf8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-47696ghsaADVISORY
- github.com/WWBN/AVideo/commit/822402444b4db4e9442779c8c789ffe5312b3627ghsaWEB
News mentions
1- WWBN AVideo: Nine Bugs Disclosed Together — From Wallet Fraud to RCEVypr Intelligence · May 29, 2026