CVE-2026-39366
Replay Attack in WWBN AVideo PayPal IPN v1 Handler
Publication date: 2026-04-07
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the PayPal IPN v1 handler allows replay attacks that inflate wallet balances and renew subscriptions without additional payments, leading to unauthorized financial transactions and potential financial losses for platform operators.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized modification of wallet balances and subscription renewals could impact compliance with financial integrity and data protection regulations by enabling fraudulent transactions and undermining transaction authenticity.
The lack of transaction deduplication and logging in the vulnerable handler means there is insufficient verification of data authenticity (CWE-345), which could be viewed as a failure to maintain accurate and reliable transaction records, a requirement in many regulatory frameworks.
Can you explain this vulnerability to me?
CVE-2026-39366 is a vulnerability in the WWBN AVideo platform's PayPal IPN v1 handler located at plugin/PayPalYPT/ipn.php in versions 26.0 and prior. The issue arises because this handler lacks transaction deduplication, meaning it does not check if a PayPal Instant Payment Notification (IPN) has already been processed.
As a result, an attacker can replay a single legitimate IPN notification multiple times. Each replay causes the system to credit the attacker's wallet balance and renew subscriptions repeatedly without additional payments. This happens because the handler processes the same transaction multiple times without verifying its uniqueness.
Newer handlers (ipnV2.php and webhook.php) include deduplication logic that prevents this replay attack by checking if a transaction ID or cryptographic signature has already been processed and logging each transaction. However, the vulnerable v1 handler remains actively used as the notify_url for billing plans, making it exploitable.
How can this vulnerability impact me? :
This vulnerability can have significant financial and operational impacts on platform operators and users.
- Attackers can inflate their wallet balance indefinitely by replaying the same PayPal IPN notification multiple times.
- Subscriptions can be renewed repeatedly without additional payments, granting attackers free and unlimited access to paid content or services.
- Platform operators may suffer financial losses due to unauthorized wallet credits and subscription renewals.
- The integrity of the payment and subscription system is compromised, allowing unauthorized modifications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring repeated identical IPN (Instant Payment Notification) POST requests to the vulnerable handler at plugin/PayPalYPT/ipn.php. An attacker replays the same legitimate PayPal IPN notification multiple times, which can be identified by repeated transaction IDs (txn_id) or identical cryptographic signatures (verify_sign) in the POST data.
To detect this on your system, you can analyze web server logs or network traffic for multiple identical POST requests to the ipn.php endpoint with the same txn_id or verify_sign values.
Example commands to detect repeated IPN POST requests in Apache logs might include:
- grep 'plugin/PayPalYPT/ipn.php' /var/log/apache2/access.log | grep 'txn_id=' | sort | uniq -c | sort -nr
- grep 'plugin/PayPalYPT/ipn.php' /var/log/apache2/access.log | grep 'verify_sign=' | sort | uniq -c | sort -nr
These commands count occurrences of IPN requests grouped by transaction ID or signature, helping identify repeated transactions that indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing transaction deduplication in the vulnerable PayPal IPN v1 handler (plugin/PayPalYPT/ipn.php) to prevent processing duplicate IPN notifications.
Specifically, update the ipn.php handler to check if a transaction ID (txn_id) or cryptographic signature (verify_sign) has already been processed by using the function PayPalYPT::isRecurringPaymentIdUsed(). If the transaction is a duplicate, the handler should skip processing and log the event.
Additionally, log each processed transaction in PayPalYPT_log to maintain an audit trail and prevent replay attacks.
As a further step, consider migrating all PayPal IPN notify_url references from the vulnerable ipn.php to the more secure ipnV2.php or webhook.php handlers, which already implement proper deduplication and logging.
If immediate code changes are not possible, temporarily disabling or blocking access to the vulnerable ipn.php endpoint until a patch is applied can reduce risk.