CVE-2026-34737 Overview
WWBN AVideo is an open source video platform that includes an exposed debug endpoint vulnerability in its StripeYPT plugin. In versions 26.0 and prior, the test.php debug endpoint is accessible to any logged-in user rather than being restricted to administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a critical bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by simply providing a subscription ID.
Critical Impact
Authenticated users can cancel any Stripe subscription within the platform, causing financial harm and service disruption to legitimate subscribers without authorization.
Affected Products
- WWBN AVideo versions 26.0 and prior
- StripeYPT plugin with exposed test.php debug endpoint
- AVideo installations with Stripe payment integration enabled
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-34737 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34737
Vulnerability Analysis
This vulnerability represents a classic Missing Authorization (CWE-862) flaw where a sensitive administrative debug endpoint lacks proper access control. The StripeYPT plugin includes a test.php file that was likely intended for development or debugging purposes but was inadvertently left accessible in production deployments.
The vulnerability is compounded by a logic error in the retrieveSubscriptions() method. Instead of simply fetching subscription data as its name suggests, this method erroneously triggers subscription cancellation operations. When combined with the missing authorization check, this creates a dangerous scenario where any authenticated user—not just administrators—can invoke this functionality.
The attack is straightforward: an attacker only needs basic user credentials to access the test.php endpoint and craft a payload containing a target subscription ID. The system will process this request without verifying whether the user has authorization to manage that subscription.
Root Cause
The root cause is twofold: first, the absence of role-based access control on the test.php debug endpoint allows any authenticated user to access functionality intended only for administrators. Second, the retrieveSubscriptions() method contains a logic bug that performs destructive subscription cancellation operations rather than the read-only retrieval its name implies. This combination of missing authorization and flawed method logic enables unauthorized subscription manipulation.
Attack Vector
The attack is network-based and requires low-privileged authentication. An attacker with any valid user account can navigate to the test.php endpoint and submit a crafted Stripe webhook-style payload. By including an arbitrary subscription ID in this payload, the attacker triggers the buggy retrieveSubscriptions() method, which cancels the targeted subscription regardless of ownership. No user interaction is required from the victim, and the attacker can target any subscription ID they can enumerate or guess.
The vulnerability resides in the StripeYPT plugin's test.php debug endpoint. When a logged-in user sends a request to this endpoint with a subscription ID, the retrieveSubscriptions() method is invoked. Due to the logic bug, this method cancels the specified subscription rather than retrieving it. For technical details on the specific implementation flaw, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-34737
Indicators of Compromise
- Unexpected HTTP requests to /plugin/StripeYPT/test.php from non-administrator user accounts
- Stripe subscription cancellation events that do not correlate with legitimate user-initiated actions
- Anomalous access patterns to debug endpoints from standard user sessions
- Stripe webhook logs showing cancellation requests originating from the AVideo application without corresponding UI interactions
Detection Strategies
- Monitor web server access logs for requests to test.php within the StripeYPT plugin directory
- Implement alerting on Stripe subscription cancellation events and correlate with authorized administrative actions
- Deploy web application firewall (WAF) rules to restrict access to debug endpoints based on user roles
- Enable detailed logging for all Stripe API interactions to identify unauthorized cancellation requests
Monitoring Recommendations
- Configure real-time alerts for any access to the test.php endpoint in production environments
- Audit Stripe dashboard for unexpected subscription cancellations and investigate origin
- Implement file integrity monitoring on plugin directories to detect unauthorized modifications
- Review user session logs for privilege escalation patterns or access to administrative functionality
How to Mitigate CVE-2026-34737
Immediate Actions Required
- Remove or disable the test.php file from the StripeYPT plugin directory immediately
- Implement server-level access restrictions (e.g., .htaccess or nginx rules) to block access to debug files
- Audit recent Stripe subscription cancellations for unauthorized activity and contact affected users
- Review user access logs to identify potential exploitation attempts
Patch Information
At time of publication, there are no publicly available patches for this vulnerability. Administrators should monitor the GitHub Security Advisory for updates on official remediation. Until a patch is released, manual mitigation through file removal or access restriction is strongly recommended.
Workarounds
- Delete or rename the test.php file located in the StripeYPT plugin directory to prevent access
- Add server configuration rules to deny access to debug and test files within plugin directories
- Implement application-level middleware to enforce administrator-only access to sensitive plugin endpoints
- Consider temporarily disabling the StripeYPT plugin if subscription cancellation functionality is not critical
# Configuration example - Apache .htaccess to block test.php access
<FilesMatch "^test\.php$">
Order deny,allow
Deny from all
</FilesMatch>
# Alternative: Nginx configuration to block debug endpoints
location ~* /plugin/StripeYPT/test\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
