CVE-2026-47696
WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.
| CWE | CWE-345 |
| Vendor | wwbn |
| Product | avideo |
| Published | May 29, 2026 |
| Last Updated | May 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for wwbn avideo
Be the first to know when new unknown vulnerabilities affecting wwbn avideo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
WWBN / AVideo
<= 29.0