CVE-2026-43883
Received Received - Intake
Unauthorized PayPal Billing Agreement Cancellation in WWBN AVideo

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-12
AI Q&A
2026-05-12
EPSS Evaluated
N/A
NVD
CVE-2026-43883
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue is in the plugin PayPalYPT, specifically in the agreementCancel.json.php file, which cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user actually owns that agreement.

As a result, a low-privilege authenticated user who obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription.


How can this vulnerability impact me? :

This vulnerability can cause revenue loss to the platform because attackers can suspend recurring subscriptions without authorization.

It also causes loss of paid service to the victim, as their recurring subscription can be silently canceled by an attacker.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix from commit 0da3dcff1eda2f497694bf82b559829471c292c2 or later.

This fix ensures that the plugin PayPalYPT/agreementCancel.json.php properly verifies that the authenticated user owns the PayPal billing agreement before allowing cancellation.

Until the update is applied, restrict access to the vulnerable endpoint to trusted users only and monitor for suspicious activity involving PayPal billing agreement cancellations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart