CVE-2026-39366 Overview
WWBN AVideo, an open source video platform, contains a critical business logic flaw in versions 26.0 and prior. The PayPal IPN (Instant Payment Notification) v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing attackers to replay legitimate IPN notifications to fraudulently inflate wallet balances and renew subscriptions without proper payment.
Critical Impact
Attackers can exploit this replay vulnerability to gain unlimited wallet credits and subscription renewals by repeatedly submitting a single valid PayPal IPN notification.
Affected Products
- WWBN AVideo version 26.0 and prior
- AVideo installations using PayPal IPN v1 handler (plugin/PayPalYPT/ipn.php)
- Systems with PayPal billing plans configured with the vulnerable notify_url
Discovery Timeline
- 2026-04-07 - CVE-2026-39366 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39366
Vulnerability Analysis
This vulnerability is classified as CWE-345 (Insufficient Verification of Data Authenticity). The core issue stems from the PayPal IPN v1 handler failing to implement transaction deduplication logic. While the newer ipnV2.php and webhook.php handlers correctly deduplicate transactions by checking against PayPalYPT_log entries, the legacy v1 handler at ipn.php was never updated with this protection mechanism.
The vulnerable endpoint remains actively referenced as the notify_url for billing plans, meaning legitimate payment workflows continue to route through this insecure handler. An attacker with access to a single valid IPN notification can replay it multiple times, with each replay being processed as a new legitimate transaction.
Root Cause
The root cause is the absence of transaction ID tracking and validation in the legacy ipn.php handler. Unlike the v2 implementation which logs processed transaction IDs to prevent duplicate processing, the v1 handler accepts and processes any structurally valid IPN notification without verifying whether that specific transaction has already been credited to the user's account.
Attack Vector
The attack is network-based and requires low privileges—an attacker only needs to intercept or obtain one legitimate PayPal IPN notification. This can be achieved through various means including network sniffing, accessing server logs, or compromising a legitimate user account. Once a valid IPN message is captured, the attacker can replay it against the vulnerable ipn.php endpoint to:
- Repeatedly credit their wallet balance with each replay
- Extend or renew subscriptions without additional payment
- Potentially exhaust platform resources through fraudulent transactions
The vulnerability exploits the trust relationship between the AVideo platform and PayPal's IPN system, where the platform incorrectly assumes each received notification represents a unique, unprocessed transaction.
Detection Methods for CVE-2026-39366
Indicators of Compromise
- Multiple identical IPN requests with the same txn_id parameter hitting plugin/PayPalYPT/ipn.php
- Unusual wallet balance increases without corresponding unique PayPal transactions
- Subscription renewals that don't match PayPal payment records
- High-frequency requests to the IPN endpoint from single IP addresses
Detection Strategies
- Implement logging and alerting for duplicate txn_id values in IPN requests
- Monitor for anomalous patterns in wallet balance modifications
- Cross-reference platform transaction records with PayPal merchant account history
- Set up rate limiting alerts on the ipn.php endpoint
Monitoring Recommendations
- Enable detailed access logging for plugin/PayPalYPT/ipn.php endpoint
- Implement real-time monitoring for transaction ID duplication patterns
- Configure alerts for wallet balance increases that exceed normal thresholds
- Audit PayPal billing plan configurations to identify exposed notify_url endpoints
How to Mitigate CVE-2026-39366
Immediate Actions Required
- Update WWBN AVideo to a version that includes the security patch
- Review and audit recent wallet balance changes for suspicious activity
- Migrate billing plans from the v1 IPN handler to the secure v2 or webhook handlers
- Implement additional server-side deduplication as a defense-in-depth measure
Patch Information
A security patch is available through the GitHub commit 8f53e9d9c6aaa07d51ace30691981edbbfb5ca1c. This commit addresses the transaction deduplication issue in the v1 IPN handler. For complete details, refer to the GitHub Security Advisory GHSA-mmw7-wq3c-wf9p.
Workarounds
- Disable the legacy ipn.php handler and reconfigure billing plans to use ipnV2.php or webhook.php
- Implement server-level request filtering to block duplicate txn_id submissions
- Add manual transaction ID logging and validation at the application layer
- Restrict access to the IPN endpoint to only PayPal's documented IP ranges
# Configuration example - Block direct access and implement rate limiting for IPN endpoint
# Add to .htaccess or nginx configuration
# Apache .htaccess example
<Files "ipn.php">
# Allow only PayPal IPN IP ranges
Order deny,allow
Deny from all
Allow from 64.4.240.0/21
Allow from 66.211.168.0/22
Allow from 173.0.80.0/20
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
