CVE-2026-33731
Received Received - Intake

Signature Bypass in WWBN AVideo Webhook Handler

Vulnerability report for CVE-2026-33731, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

WWBN AVideo is an open source video platform. In versions prior to 29.0, the Authorize.Net webhook handler at plugin/AuthorizeNet/webhook.php contains a signature verification bypass that allows an attacker to forge webhook requests with arbitrary payment amounts and target user IDs. By supplying a valid transaction ID from a small legitimate purchase, the attacker bypasses signature validation and credits arbitrary wallet balances to any user account via attacker-controlled payload fields. Three flaws combine into an exploit chain: signature bypass via OR logic (webhook.php:33), payload values override API-fetched values (AuthorizeNet.php:169-171, webhook.php:44-48) and a missing approval check (webhook.php:61-75). By forging payment metadata, an attacker can credit arbitrary amounts to any user's wallet without a corresponding payment and include a Β plans_idΒ  to activate premium subscriptions (webhook.php:86-134), enabling free access to all paid and premium content and causing direct revenue loss to the platform owner. This issue has been fixed in version 29.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects WWBN AVideo, an open-source video platform. In versions before 29.0, the Authorize.Net webhook handler has a flaw that lets attackers bypass signature verification. This allows them to forge webhook requests with arbitrary payment amounts and target user IDs. By using a valid transaction ID from a small purchase, the attacker can credit any user's wallet balance without actual payment and activate premium subscriptions, leading to free access to paid content and revenue loss for the platform owner.

Detection Guidance

This vulnerability can be detected by checking the version of WWBN AVideo installed. If the version is prior to 29.0, the system is vulnerable. Review the Authorize.Net webhook handler files (plugin/AuthorizeNet/webhook.php and AuthorizeNet.php) for the described flaws in signature verification, payload overrides, and missing approval checks.

Impact Analysis

If you use or host a vulnerable version of WWBN AVideo, an attacker could exploit this to credit arbitrary amounts to user wallets without payment. This could lead to unauthorized access to premium content, financial losses for the platform owner, and potential misuse of user accounts. Users might gain free access to paid features, disrupting the platform's revenue model.

Compliance Impact

This vulnerability could lead to unauthorized access to premium content and user data, potentially violating GDPR's data protection principles and HIPAA's security requirements for protected health information if user data is exposed or misused.

Mitigation Strategies

Immediately upgrade WWBN AVideo to version 29.0 or later to address the signature verification bypass and payload override flaws in the Authorize.Net webhook handler.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33731. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart