CVE-2026-35448
Unauthorized Data Exposure in WWBN AVideo BlockonomicsYPT Plugin
Publication date: 2026-04-06
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the BlockonomicsYPT plugin of the WWBN AVideo platform, specifically in versions 26.0 and prior. The check.php endpoint returns payment order data for any Bitcoin address without requiring any authentication or access control.
Although the endpoint was intended to be used as an AJAX polling helper for the authenticated invoice.php page, it does not perform any access control checks on its own. As a result, an attacker can query payment records for any Bitcoin address used on the platform.
Since Bitcoin addresses are publicly visible on the blockchain, this vulnerability allows unauthorized users to access payment order data linked to any Bitcoin address.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of payment order data associated with Bitcoin addresses on the platform.
An attacker could potentially gather sensitive financial information without needing to authenticate, which may lead to privacy concerns or targeted attacks based on the exposed payment data.
However, the CVSS score of 3.7 indicates a low severity impact, with limited confidentiality impact and no integrity or availability impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to payment order data associated with Bitcoin addresses without authentication. Since Bitcoin addresses are publicly visible on the blockchain, this exposure could lead to unauthorized disclosure of payment information.
However, the provided information does not specify whether the exposed payment data includes personal or sensitive information protected under regulations such as GDPR or HIPAA.
Therefore, the impact on compliance with common standards and regulations cannot be determined from the available data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the check.php endpoint of the BlockonomicsYPT plugin with a Bitcoin address as a GET parameter and observing if payment order data is returned without authentication.
A simple command to test this is using curl to query the endpoint with a known Bitcoin address:
- curl "https://your-avideo-instance.com/plugin/BlockonomicsYPT/check.php?addr=1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa"
If the response returns JSON data containing payment order details without requiring login or authentication, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to add an authentication check at the start of the check.php endpoint to ensure only logged-in users can access payment order data.
For example, insert the following code near the beginning of check.php:
- if (!User::isLogged()) { echo json_encode(["error" => "Login required"]); exit; }
This will prevent unauthenticated users from retrieving sensitive payment information.