VYPR
← All advisories
High severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-47696

CVE-2026-47696

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users can add arbitrary funds to their AVideo wallet via the AuthorizeNet plugin by sending a crafted POST request, as the payment endpoint hardcodes success and never validates any transaction.

Vulnerability

In WWBN AVideo 29.0 and earlier, the plugin/AuthorizeNet/processPayment.json.php endpoint is intended to process payments through the Authorize.Net payment gateway and credit the logged-in user's wallet. However, the endpoint contains a TODO comment indicating the real Authorize.Net charging logic was never implemented. Instead, the code reads the amount POST parameter from the attacker-controlled request, checks only that it is greater than zero, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() to credit the user's wallet. No verification is performed of an Authorize.Net transaction ID, webhook signature, hosted payment token, nonce, server-side payment record, currency, or duplicate/replay state [1]. This vulnerability is exploitable when both the AuthorizeNet and YPTWallet plugins are enabled.

Exploitation

An attacker must be a logged-in user of the AVideo platform. The AuthorizeNet plugin must be enabled, and the YPTWallet plugin must be active. The attacker sends a POST request to plugin/AuthorizeNet/processPayment.json.php with a POST parameter amount set to a positive numeric value (e.g., 1000). The endpoint processes the request, bypasses any real payment, and adds the attacker-supplied amount to their wallet balance. No additional authentication, authorization, or validation is required beyond being logged in [1].

Impact

A successful attack allows any authenticated user to arbitrarily increase the balance of their own AVideo wallet without paying any actual funds. The attacker can then use this fake credit for any wallet-dependent features within the platform, causing direct financial loss to the site operator. The integrity of the wallet system is completely compromised, and there is no limit on the amount that can be added per request [1].

Mitigation

As of the advisory publication date, no patched version of AVideo has been released. The vendor has not confirmed a fix or published a workaround [1]. Until a patch is available, the only mitigation is to disable both the AuthorizeNet and YPTWallet plugins, or to remove the vulnerable endpoint. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog at the time of writing.

References
  1. Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • WWBN/Avideoinferred2 versions
    <=29.0+ 1 more
    • (no CPE)range: <=29.0
    • (no CPE)range: <=29.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The endpoint hardcodes payment success and credits the wallet based solely on a client-supplied amount without any server-side payment validation."

Attack vector

An attacker with any valid user account sends a POST request to `plugin/AuthorizeNet/processPayment.json.php` with a crafted `amount` parameter (e.g., `amount=9999`). The endpoint does not perform any real payment processing — it hardcodes success and credits the wallet with the attacker-supplied value [ref_id=1]. No Authorize.Net hosted payment page, card data, or server-side validation is required [CWE-862].

Affected code

The vulnerability resides in `plugin/AuthorizeNet/processPayment.json.php`. The endpoint reads `$_POST['amount']` from the client, hardcodes `$paymentSuccess = true`, and calls `YPTWallet::addBalance()` without validating any Authorize.Net transaction, token, or webhook signature [ref_id=1].

What the fix does

The advisory recommends removing or disabling `processPayment.json.php` if it is obsolete, and never crediting wallet balance from a client-supplied amount alone. The fix must require a verified Authorize.Net transaction ID and server-side amount lookup before calling `addBalance()`, and should use the existing Authorize.Net hosted token / webhook / transaction reconciliation flow [ref_id=1]. No patch has been published.

Preconditions

  • configAuthorizeNet plugin must be enabled
  • configYPTWallet plugin must be enabled
  • authAttacker must have a valid authenticated user session
  • inputAttacker sends POST request with arbitrary amount parameter

Reproduction

Log in as any user, send `curl -i -s -b 'PHPSESSID=<user_session>' -X POST 'https://target.example/plugin/AuthorizeNet/processPayment.json.php' --data 'amount=9999&userData[note]=poc'`, then refresh the wallet page to see the balance increased by 9999 [ref_id=1].

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.