Detection Guidance

This vulnerability involves the StripeYPT plugin's test.php debug endpoint being accessible to any logged-in user, allowing them to trigger subscription cancellations by sending Stripe webhook-style payloads with subscription IDs.

To detect this vulnerability on your system, you can check if the test.php endpoint of the StripeYPT plugin is accessible to authenticated users who are not administrators.

One approach is to attempt accessing the test.php endpoint while logged in as a non-administrator user and observe if subscription operations can be triggered.

Since the endpoint processes Stripe webhook-style payloads, you can use commands like curl to send test POST requests with subscription IDs to see if cancellations are triggered.

• Example curl command to test access (replace URL and subscription ID accordingly):
• curl -X POST -b 'session_cookie=your_auth_cookie' -d '{"id":"sub_123456789"}' https://your-avideo-domain/plugins/StripeYPT/test.php

Note: Replace 'session_cookie=your_auth_cookie' with a valid session cookie for a logged-in non-admin user, and 'sub_123456789' with a subscription ID to test.

If the subscription is cancelled or the endpoint responds indicating subscription operations, the vulnerability is present.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in the StripeYPT plugin of the WWBN AVideo platform, versions 26.0 and prior. The plugin includes a debug endpoint called test.php that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations. Due to a bug in the retrieveSubscriptions() method, instead of just retrieving subscriptions, it cancels them. As a result, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows any authenticated user to cancel arbitrary Stripe subscriptions. This means unauthorized users can disrupt subscription services by cancelling subscriptions they do not own or manage, potentially causing financial loss and service interruptions for legitimate subscribers.

Useful 0 Not Useful 0

Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting access to the StripeYPT plugin's test.php debug endpoint to only trusted administrators.

Additionally, consider disabling or removing the test.php debug endpoint if possible, to prevent any authenticated user from triggering subscription cancellations.

Monitoring and auditing user activity related to subscription management can also help detect any unauthorized cancellation attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows any authenticated user to cancel arbitrary Stripe subscriptions due to improper access control in the StripeYPT plugin's test.php debug endpoint.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized cancellation of subscriptions could lead to service disruption and potential issues with data integrity and user consent management.

Such unauthorized actions might indirectly affect compliance by violating principles of access control and data protection required under these regulations, especially if subscription data is linked to personal or payment information.

Useful 0 Not Useful 0