CVE-2026-43883
MEDIUMWWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
Title source: cnaDescription
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj
X_Refsource_Misc x_refsource_misc
https://github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2
Scores
CVSS v3
4.2
EPSS
0.0004
EPSS Percentile
12.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (2)
wwbn/avideo
0 - 29.0Packagist
WWBN/AVideo
<= 29.0
Published
May 11, 2026
Tracked Since
May 12, 2026