CVE-2026-39366
Received Received - Intake
Replay Attack in WWBN AVideo PayPal IPN v1 Handler

Publication date: 2026-04-07

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39366
EUVD
EUVD-2026-19878
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39366 is a vulnerability in the WWBN AVideo platform's PayPal IPN v1 handler located at plugin/PayPalYPT/ipn.php in versions 26.0 and prior. The issue arises because this handler lacks transaction deduplication, meaning it does not check if a PayPal Instant Payment Notification (IPN) has already been processed.

As a result, an attacker can replay a single legitimate IPN notification multiple times. Each replay causes the system to credit the attacker's wallet balance and renew subscriptions repeatedly without additional payments. This happens because the handler processes the same transaction multiple times without verifying its uniqueness.

Newer handlers (ipnV2.php and webhook.php) include deduplication logic that prevents this replay attack by checking if a transaction ID or cryptographic signature has already been processed and logging each transaction. However, the vulnerable v1 handler remains actively used as the notify_url for billing plans, making it exploitable.

Impact Analysis

This vulnerability can have significant financial and operational impacts on platform operators and users.

  • Attackers can inflate their wallet balance indefinitely by replaying the same PayPal IPN notification multiple times.
  • Subscriptions can be renewed repeatedly without additional payments, granting attackers free and unlimited access to paid content or services.
  • Platform operators may suffer financial losses due to unauthorized wallet credits and subscription renewals.
  • The integrity of the payment and subscription system is compromised, allowing unauthorized modifications.
Detection Guidance

This vulnerability can be detected by monitoring repeated identical IPN (Instant Payment Notification) POST requests to the vulnerable handler at plugin/PayPalYPT/ipn.php. An attacker replays the same legitimate PayPal IPN notification multiple times, which can be identified by repeated transaction IDs (txn_id) or identical cryptographic signatures (verify_sign) in the POST data.

To detect this on your system, you can analyze web server logs or network traffic for multiple identical POST requests to the ipn.php endpoint with the same txn_id or verify_sign values.

Example commands to detect repeated IPN POST requests in Apache logs might include:

  • grep 'plugin/PayPalYPT/ipn.php' /var/log/apache2/access.log | grep 'txn_id=' | sort | uniq -c | sort -nr
  • grep 'plugin/PayPalYPT/ipn.php' /var/log/apache2/access.log | grep 'verify_sign=' | sort | uniq -c | sort -nr

These commands count occurrences of IPN requests grouped by transaction ID or signature, helping identify repeated transactions that indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include implementing transaction deduplication in the vulnerable PayPal IPN v1 handler (plugin/PayPalYPT/ipn.php) to prevent processing duplicate IPN notifications.

Specifically, update the ipn.php handler to check if a transaction ID (txn_id) or cryptographic signature (verify_sign) has already been processed by using the function PayPalYPT::isRecurringPaymentIdUsed(). If the transaction is a duplicate, the handler should skip processing and log the event.

Additionally, log each processed transaction in PayPalYPT_log to maintain an audit trail and prevent replay attacks.

As a further step, consider migrating all PayPal IPN notify_url references from the vulnerable ipn.php to the more secure ipnV2.php or webhook.php handlers, which already implement proper deduplication and logging.

If immediate code changes are not possible, temporarily disabling or blocking access to the vulnerable ipn.php endpoint until a patch is applied can reduce risk.

Compliance Impact

The vulnerability in the PayPal IPN v1 handler allows replay attacks that inflate wallet balances and renew subscriptions without additional payments, leading to unauthorized financial transactions and potential financial losses for platform operators.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized modification of wallet balances and subscription renewals could impact compliance with financial integrity and data protection regulations by enabling fraudulent transactions and undermining transaction authenticity.

The lack of transaction deduplication and logging in the vulnerable handler means there is insufficient verification of data authenticity (CWE-345), which could be viewed as a failure to maintain accurate and reliable transaction records, a requirement in many regulatory frameworks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39366. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart