CVE-2026-47696 HIGH

CVE-2026-47696: WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint

Vendor Wwbn
Product AVideo
Weakness CWE-345
Published May 29, 2026
Last update May 29, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated

Related vulnerabilities

04Related CVE