Vulnerability-Lookup

CVE-2026-34737 (GCVE-0-2026-34737)

Vulnerability from cvelistv5 – Published: 2026-03-31 20:53 – Updated: 2026-04-03 16:34

Title

AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug

Summary

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-862 - Missing Authorization

Assigner

GitHub_M

References

URL

Tags

https://github.com/WWBN/AVideo/security/advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34737",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-03T16:34:16.091055Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-03T16:34:47.338Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T20:53:51.550Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv"
        }
      ],
      "source": {
        "advisory": "GHSA-38rh-4v39-vfxv",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34737",
    "datePublished": "2026-03-31T20:53:51.550Z",
    "dateReserved": "2026-03-30T18:41:20.754Z",
    "dateUpdated": "2026-04-03T16:34:47.338Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34737\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-31T21:16:32.247\",\"lastModified\":\"2026-04-01T18:45:32.093\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34737\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-03T16:34:16.091055Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-03T16:34:42.934Z\"}}], \"cna\": {\"title\": \"AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug\", \"source\": {\"advisory\": \"GHSA-38rh-4v39-vfxv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-31T20:53:51.550Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34737\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-03T16:34:47.338Z\", \"dateReserved\": \"2026-03-30T18:41:20.754Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-31T20:53:51.550Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-34737

Vulnerability from fkie_nvd - Published: 2026-03-31 21:16 - Updated: 2026-04-01 18:45

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches."
    }
  ],
  "id": "CVE-2026-34737",
  "lastModified": "2026-04-01T18:45:32.093",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-31T21:16:32.247",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-38RH-4V39-VFXV

Vulnerability from github – Published: 2026-04-01 21:06 – Updated: 2026-04-01 21:06

Summary

AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug

Details

Summary

The StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID.

Details

At plugin/StripeYPT/test.php:4, the endpoint checks only for a logged-in user, not for admin privileges:

if (!User::isLogged())

At lines 27-29, the endpoint accepts a JSON payload from the request and processes it through the Stripe metadata handler:

$obj = StripeYPT::getMetadataOrFromSubscription(json_decode($_REQUEST['payload']));

The call chain proceeds as follows: - test.php calls getMetadataOrFromSubscription() - Which calls getSubscriptionId() to extract the subscription ID - Which calls retrieveSubscriptions() to interact with the Stripe API

At StripeYPT.php:933, the retrieveSubscriptions() method contains a critical bug where it cancels the subscription instead of just retrieving it:

$response = $sub->cancel();

This same bug also affects the production webhook processing path via processSubscriptionIPN(), meaning both the debug endpoint and the live webhook handler can trigger unintended cancellations.

Proof of Concept

Log in as any regular (non-admin) user and obtain a session cookie.
Send a crafted payload to the test endpoint with a target subscription ID:

curl -b "PHPSESSID=USER_SESSION" \
  "https://your-avideo-instance.com/plugin/StripeYPT/test.php" \
  -d 'payload={"data":{"object":{"id":"sub_TARGET_SUBSCRIPTION_ID","customer":"cus_CUSTOMER_ID"}}}'

The endpoint processes the payload, calls retrieveSubscriptions(), and the subscription is cancelled via the Stripe API.
To enumerate subscription IDs, check if the application exposes them through other endpoints or use predictable patterns:

# Check user subscription details if accessible
curl -b "PHPSESSID=USER_SESSION" \
  "https://your-avideo-instance.com/plugin/StripeYPT/listSubscriptions.php"

The Stripe subscription is now cancelled. The affected user loses access to their paid features.

Impact

Any logged-in user can cancel arbitrary Stripe subscriptions belonging to other users. This causes direct financial damage to the platform operator (lost subscription revenue) and service disruption for paying subscribers who lose access to premium features. The debug endpoint should have been removed from production or restricted to admin-only access, and the retrieveSubscriptions() method should retrieve rather than cancel subscriptions.

CWE-862: Missing Authorization
Severity: Medium

Recommended Fix

Two changes are needed:

1. Restrict the debug endpoint to admins at plugin/StripeYPT/test.php:4:

// plugin/StripeYPT/test.php:4
if (!User::isAdmin())

Change User::isLogged() to User::isAdmin() so only administrators can access the debug endpoint.

2. Fix the retrieval bug at StripeYPT.php:933:

Remove the $sub->cancel() call from retrieveSubscriptions() so that the function only retrieves subscription data without cancelling it:

// StripeYPT.php:933 - remove the following line:
// $response = $sub->cancel();

The retrieveSubscriptions() method should retrieve subscription information, not cancel subscriptions as a side effect.

Found by aisafe.io

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:06:58Z",
    "nvd_published_at": "2026-03-31T21:16:32Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe StripeYPT plugin includes a `test.php` debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the `retrieveSubscriptions()` method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID.\n\n## Details\n\nAt `plugin/StripeYPT/test.php:4`, the endpoint checks only for a logged-in user, not for admin privileges:\n\n```php\nif (!User::isLogged())\n```\n\nAt lines 27-29, the endpoint accepts a JSON payload from the request and processes it through the Stripe metadata handler:\n\n```php\n$obj = StripeYPT::getMetadataOrFromSubscription(json_decode($_REQUEST[\u0027payload\u0027]));\n```\n\nThe call chain proceeds as follows:\n- `test.php` calls `getMetadataOrFromSubscription()`\n- Which calls `getSubscriptionId()` to extract the subscription ID\n- Which calls `retrieveSubscriptions()` to interact with the Stripe API\n\nAt `StripeYPT.php:933`, the `retrieveSubscriptions()` method contains a critical bug where it cancels the subscription instead of just retrieving it:\n\n```php\n$response = $sub-\u003ecancel();\n```\n\nThis same bug also affects the production webhook processing path via `processSubscriptionIPN()`, meaning both the debug endpoint and the live webhook handler can trigger unintended cancellations.\n\n## Proof of Concept\n\n1. Log in as any regular (non-admin) user and obtain a session cookie.\n\n2. Send a crafted payload to the test endpoint with a target subscription ID:\n\n```bash\ncurl -b \"PHPSESSID=USER_SESSION\" \\\n  \"https://your-avideo-instance.com/plugin/StripeYPT/test.php\" \\\n  -d \u0027payload={\"data\":{\"object\":{\"id\":\"sub_TARGET_SUBSCRIPTION_ID\",\"customer\":\"cus_CUSTOMER_ID\"}}}\u0027\n```\n\n3. The endpoint processes the payload, calls `retrieveSubscriptions()`, and the subscription is cancelled via the Stripe API.\n\n4. To enumerate subscription IDs, check if the application exposes them through other endpoints or use predictable patterns:\n\n```bash\n# Check user subscription details if accessible\ncurl -b \"PHPSESSID=USER_SESSION\" \\\n  \"https://your-avideo-instance.com/plugin/StripeYPT/listSubscriptions.php\"\n```\n\n5. The Stripe subscription is now cancelled. The affected user loses access to their paid features.\n\n## Impact\n\nAny logged-in user can cancel arbitrary Stripe subscriptions belonging to other users. This causes direct financial damage to the platform operator (lost subscription revenue) and service disruption for paying subscribers who lose access to premium features. The debug endpoint should have been removed from production or restricted to admin-only access, and the `retrieveSubscriptions()` method should retrieve rather than cancel subscriptions.\n\n- **CWE-862**: Missing Authorization\n- **Severity**: Medium\n\n## Recommended Fix\n\nTwo changes are needed:\n\n**1. Restrict the debug endpoint to admins** at `plugin/StripeYPT/test.php:4`:\n\n```php\n// plugin/StripeYPT/test.php:4\nif (!User::isAdmin())\n```\n\nChange `User::isLogged()` to `User::isAdmin()` so only administrators can access the debug endpoint.\n\n**2. Fix the retrieval bug** at `StripeYPT.php:933`:\n\nRemove the `$sub-\u003ecancel()` call from `retrieveSubscriptions()` so that the function only retrieves subscription data without cancelling it:\n\n```php\n// StripeYPT.php:933 - remove the following line:\n// $response = $sub-\u003ecancel();\n```\n\nThe `retrieveSubscriptions()` method should retrieve subscription information, not cancel subscriptions as a side effect.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-38rh-4v39-vfxv",
  "modified": "2026-04-01T21:06:58Z",
  "published": "2026-04-01T21:06:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34737"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/8ac79b9375872f02f72999157b19a40c17126513"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34737 (GCVE-0-2026-34737)

FKIE_CVE-2026-34737

GHSA-38RH-4V39-VFXV

Summary

Details

Proof of Concept

Impact

Recommended Fix

Tags

Sightings

Nomenclature