CVE-2026-43883 Overview
CVE-2026-43883 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in WWBN AVideo, an open source video streaming platform. The flaw resides in plugin/PayPalYPT/agreementCancel.json.php, which cancels a PayPal billing agreement based on an attacker-supplied agreement parameter without verifying ownership. Any low-privilege authenticated user who learns another user's PayPal billing agreement ID can cancel that victim's recurring subscription. The issue affects all versions up to and including 29.0 and is resolved in commit 0da3dcff1eda2f497694bf82b559829471c292c2.
Critical Impact
Authenticated attackers can silently suspend other users' PayPal recurring subscriptions, causing revenue loss to platform operators and service disruption to paying subscribers.
Affected Products
- WWBN AVideo versions through 29.0
- AVideo PayPalYPT plugin (plugin/PayPalYPT/agreementCancel.json.php)
- Self-hosted AVideo deployments with PayPal recurring billing enabled
Discovery Timeline
- 2026-05-11 - CVE-2026-43883 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43883
Vulnerability Analysis
The vulnerable endpoint accepts an agreement parameter from any authenticated request and passes it directly to PayPalYPT::cancelAgreement(). The handler verifies that the caller is logged in, but it never checks whether the supplied agreement ID belongs to the requesting user. This authorization gap allows horizontal privilege escalation between standard accounts.
Attackers who obtain a victim's PayPal billing agreement ID, through leaked logs, exposed admin panels, referer headers, or guessable identifiers, can invoke the endpoint to cancel that agreement. The cancellation succeeds because PayPal honors the server-issued API call, and AVideo treats the action as authorized.
Root Cause
The root cause is a missing authorization check between the authenticated session and the resource being modified. The handler conflates authentication (User::isLogged()) with authorization, a common pattern flagged by [CWE-639]: Authorization Bypass Through User-Controlled Key.
Attack Vector
Exploitation requires network access and a valid low-privilege account on the AVideo instance. The attacker submits a crafted POST or GET request to agreementCancel.json.php containing another user's agreement identifier. No user interaction from the victim is needed, and the cancellation occurs silently.
// Vulnerable handler (pre-patch) - plugin/PayPalYPT/agreementCancel.json.php
<?php
require_once '../../videos/configuration.php';
header('Content-Type: application/json');
$obj = new stdClass();
$obj->error = true;
$obj->msg = "";
if (!User::isLogged()) {
$obj->msg = "Only for Logged";
die(json_encode($obj));
}
if (empty($_REQUEST['agreement'])) {
$obj->msg = "Empty Agreement ID";
die(json_encode($obj));
}
$plugin = AVideoPlugin::loadPluginIfEnabled("PayPalYPT");
// No ownership check before cancelling the agreement
$agreement = PayPalYPT::cancelAgreement($_REQUEST['agreement']);
Source: GitHub Commit 0da3dcff
Detection Methods for CVE-2026-43883
Indicators of Compromise
- Requests to /plugin/PayPalYPT/agreementCancel.json.php from session cookies that do not match the agreement owner recorded in the database.
- Unexpected spikes in PayPal BillingAgreement.cancel API calls originating from the AVideo backend.
- Subscriber complaints reporting cancelled recurring payments without user action.
Detection Strategies
- Correlate webserver access logs for agreementCancel.json.php hits against the users_paypal_yearly (or equivalent) table to flag mismatches between session user ID and agreement owner.
- Enable PayPal merchant webhook logging for BILLING.SUBSCRIPTION.CANCELLED events and reconcile each event with an authorized in-app cancellation record.
- Search PHP error logs and AVideo audit trails for repeated calls to the cancellation endpoint from a single account targeting multiple agreement IDs.
Monitoring Recommendations
- Alert on any single authenticated session generating more than one agreement cancellation per day.
- Monitor for enumeration patterns such as sequential or brute-forced agreement parameter values.
- Track revenue dashboards for abnormal subscription churn rates after deployment of vulnerable releases.
How to Mitigate CVE-2026-43883
Immediate Actions Required
- Upgrade WWBN AVideo to a build that includes commit 0da3dcff1eda2f497694bf82b559829471c292c2 or later.
- Audit recent PayPal cancellation events and contact affected subscribers to restore their recurring agreements.
- Restrict access to the /plugin/PayPalYPT/ endpoints at the web server or WAF layer until the patch is applied.
Patch Information
The maintainers fixed the issue in commit 0da3dcff1eda2f497694bf82b559829471c292c2, which adds an ownership check ensuring the authenticated user matches the owner of the supplied agreement before invoking PayPalYPT::cancelAgreement(). Full advisory details are available in the GitHub Security Advisory GHSA-958h-qp3x-q4gj.
Workarounds
- Temporarily disable the PayPalYPT plugin if patching cannot be performed immediately.
- Block unauthenticated and non-admin requests to agreementCancel.json.php via reverse proxy rules.
- Rotate or regenerate PayPal billing agreement identifiers that may have been exposed in logs or shared URLs.
# Example NGINX rule to block external access to the vulnerable endpoint until patched
location = /plugin/PayPalYPT/agreementCancel.json.php {
allow 10.0.0.0/8; # internal admin network only
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
