Executive Summary

This vulnerability exists in the BlockonomicsYPT plugin of the WWBN AVideo platform, specifically in versions 26.0 and prior. The check.php endpoint returns payment order data for any Bitcoin address without requiring any authentication or access control.

Although the endpoint was intended to be used as an AJAX polling helper for the authenticated invoice.php page, it does not perform any access control checks on its own. As a result, an attacker can query payment records for any Bitcoin address used on the platform.

Since Bitcoin addresses are publicly visible on the blockchain, this vulnerability allows unauthorized users to access payment order data linked to any Bitcoin address.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of payment order data associated with Bitcoin addresses on the platform.

An attacker could potentially gather sensitive financial information without needing to authenticate, which may lead to privacy concerns or targeted attacks based on the exposed payment data.

However, the CVSS score of 3.7 indicates a low severity impact, with limited confidentiality impact and no integrity or availability impact.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized access to payment order data associated with Bitcoin addresses without authentication. Since Bitcoin addresses are publicly visible on the blockchain, this exposure could lead to unauthorized disclosure of payment information.

However, the provided information does not specify whether the exposed payment data includes personal or sensitive information protected under regulations such as GDPR or HIPAA.

Therefore, the impact on compliance with common standards and regulations cannot be determined from the available data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the check.php endpoint of the BlockonomicsYPT plugin with a Bitcoin address as a GET parameter and observing if payment order data is returned without authentication.

A simple command to test this is using curl to query the endpoint with a known Bitcoin address:

• curl "https://your-avideo-instance.com/plugin/BlockonomicsYPT/check.php?addr=1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa"

If the response returns JSON data containing payment order details without requiring login or authentication, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to add an authentication check at the start of the check.php endpoint to ensure only logged-in users can access payment order data.

For example, insert the following code near the beginning of check.php:

• if (!User::isLogged()) { echo json_encode(["error" => "Login required"]); exit; }

This will prevent unauthenticated users from retrieving sensitive payment information.

Useful 0 Not Useful 0