CVE-2026-43883
Received Received - Intake
Unauthorized PayPal Billing Agreement Cancellation in WWBN AVideo

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43883
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue is in the plugin PayPalYPT, specifically in the agreementCancel.json.php file, which cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user actually owns that agreement.

As a result, a low-privilege authenticated user who obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription.

Compliance Impact

This vulnerability allows a low-privilege authenticated user to cancel another user's PayPal billing agreement without proper authorization, leading to loss of paid services for the victim and revenue loss for the platform.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized cancellation of billing agreements could potentially impact compliance by violating principles of data integrity and user consent.

Specifically, GDPR requires protecting user data and ensuring that actions affecting user services are authorized and transparent. This vulnerability could be seen as a failure to properly secure user transactions and billing data, which might lead to non-compliance with such regulations.

Impact Analysis

This vulnerability can cause revenue loss to the platform because attackers can suspend recurring subscriptions without authorization.

It also causes loss of paid service to the victim, as their recurring subscription can be silently canceled by an attacker.

Mitigation Strategies

To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix from commit 0da3dcff1eda2f497694bf82b559829471c292c2 or later.

This fix ensures that the plugin PayPalYPT/agreementCancel.json.php properly verifies that the authenticated user owns the PayPal billing agreement before allowing cancellation.

Until the update is applied, restrict access to the vulnerable endpoint to trusted users only and monitor for suspicious activity involving PayPal billing agreement cancellations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43883. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart