CVE-2026-47696 Overview
CVE-2026-47696 affects WWBN AVideo, an open source video platform, in versions 29.0 and earlier. The vulnerability resides in the plugin/AuthorizeNet/processPayment.json.php endpoint, which credits the logged-in user's wallet based solely on an attacker-controlled amount POST parameter. The code hardcodes $paymentSuccess = true and invokes YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, or server-side payment record. Any authenticated user can add arbitrary funds to their own AVideo wallet when both the AuthorizeNet and YPTWallet plugins are enabled. The flaw is categorized under [CWE-345] Insufficient Verification of Data Authenticity.
Critical Impact
Authenticated attackers can mint unlimited wallet credit, undermining the platform's payment integrity and enabling financial fraud against monetized AVideo deployments.
Affected Products
- WWBN AVideo version 29.0
- WWBN AVideo versions prior to 29.0
- Deployments with the AuthorizeNet and YPTWallet plugins enabled
Discovery Timeline
- 2026-05-29 - CVE-2026-47696 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-47696
Vulnerability Analysis
The vulnerability is a business logic flaw in the AuthorizeNet payment plugin. The processPayment.json.php endpoint is intended to credit a user's wallet after a successful Authorize.Net charge. Instead, the implementation trusts client input without performing any payment verification. The source code contains a TODO comment indicating that real Authorize.Net charging was never implemented, yet the endpoint remains exposed in production releases.
The handler reads the amount POST parameter directly from the request, sets $paymentSuccess = true unconditionally, and calls YPTWallet::addBalance() to credit the authenticated user. No transaction ID, webhook signature, hosted payment token, nonce, or server-side payment record is consulted. The endpoint requires only a valid login session, placing the attack within reach of any registered account.
Root Cause
The root cause is missing server-side verification of payment authenticity. The plugin treats an unauthenticated, attacker-controlled value as proof of payment. There is no callback to the Authorize.Net API, no validation of merchant-signed receipts, and no idempotent record of completed transactions tied to the user.
Attack Vector
Exploitation requires network access and a low-privilege authenticated session. An attacker registers or uses an existing AVideo account, then issues a single HTTP POST request to plugin/AuthorizeNet/processPayment.json.php with an arbitrary amount value. The server credits that value to the attacker's wallet. The attack requires no user interaction and no elevated privileges. Refer to the GitHub Security Advisory GHSA-9392-pj54-qqf8 for the disclosed technical detail.
Detection Methods for CVE-2026-47696
Indicators of Compromise
- HTTP POST requests to /plugin/AuthorizeNet/processPayment.json.php from authenticated user sessions
- Wallet balance increases in the YPTWallet data store without a corresponding Authorize.Net transaction record
- Unusually large or repeated amount parameter values in web server access logs targeting the AuthorizeNet endpoint
- User accounts whose wallet credit history lacks matching merchant gateway confirmations
Detection Strategies
- Audit application logs for any invocation of processPayment.json.php and cross-reference with Authorize.Net merchant-side transaction reports
- Deploy web application firewall rules that flag or block requests to the vulnerable endpoint until patched
- Run database queries against the wallet ledger to surface balance adjustments without a linked external transaction ID
Monitoring Recommendations
- Enable verbose access logging on the AVideo plugin/AuthorizeNet/ path and forward logs to a centralized SIEM
- Alert on POST requests to processPayment.json.php and review them against the merchant gateway's settled transaction list daily
- Monitor wallet withdrawal or payout requests for accounts that recently called the AuthorizeNet endpoint
How to Mitigate CVE-2026-47696
Immediate Actions Required
- Disable the AuthorizeNet plugin, the YPTWallet plugin, or both until a fixed release is deployed
- Block external access to /plugin/AuthorizeNet/processPayment.json.php at the reverse proxy or web application firewall
- Reconcile wallet balances against Authorize.Net merchant records and reverse fraudulent credits
- Review user accounts that have invoked the endpoint and freeze suspicious withdrawals or payouts
Patch Information
WWBN has published the GitHub Security Advisory GHSA-9392-pj54-qqf8 documenting the issue. Administrators should upgrade to the version that supersedes 29.0 and confirm the patched processPayment.json.php performs server-side verification of Authorize.Net transactions before crediting wallets.
Workarounds
- Remove or rename the plugin/AuthorizeNet/ directory on disk to prevent the endpoint from being reachable
- Configure the web server to return HTTP 403 for any request matching processPayment.json.php
- Restrict the YPTWallet plugin to administrator-only operation while the AuthorizeNet integration is offline
# Example nginx rule to block the vulnerable endpoint
location ~* /plugin/AuthorizeNet/processPayment\.json\.php$ {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
