CVE-2026-43883 MEDIUM

CVE-2026-43883: WWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements

Vendor Wwbn

Product AVideo

Weakness CWE-639 · IDOR

Published May 11, 2026

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

4.2/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix.

Key dates

Disclosure timeline

May 11, 2026 CVE published

May 12, 2026 Record updated