How is CVE-2026-47696 exploited?

Network reachability (required): The attacker must reach the AVideo processPayment.json.php endpoint over the network, typically the same HTTP(S) surface that serves the video platform. Authentication (required): Any low-privilege logged-in AVideo user account is sufficient; no admin role is needed. Victim interaction (not-required): The attacker acts entirely against their own session and wallet, with no other user needing to click or do anything. Attack complexity (info): Attack complexity is low: a single crafted POST with an amount parameter reliably credits the wallet, with no race or memory-layout conditions.

What is the impact of CVE-2026-47696?

Attackers arbitrarily inflate their own AVideo wallet balance by submitting any amount value, with no real funds moving. Wallet ledgers, revenue reports, and any downstream payout or entitlement logic tied to wallet balance become untrustworthy. Confidentiality and availability are not directly affected; the damage is integrity of financial state inside AVideo.

Back to search

HIGHCVE-2026-47696Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-47696: WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint

WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authenticated business-logic bypass in WWBN AVideo's AuthorizeNet payment plugin. Any logged-in user can POST to plugin/AuthorizeNet/processPayment.json.php and have the supplied amount credited directly to their wallet, because the endpoint hardcodes payment success and never validates an actual Authorize.Net transaction, webhook signature, or server-side payment record. Successful exploitation lets attackers inflate their own wallet balance to arbitrary values, corrupting revenue and accounting data. No upstream fix is published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the advisory ingested from upstream feeds within minutes of publication and matched against AVideo images in customer registries and CI pipelines. Coverage extends to custom-built images that bundle AVideo 29.0 or earlier, including derivative images that enable the AuthorizeNet and YPTWallet plugins.

Available

Triage

Triage is available with the published CVSS v4.0 score of 7.1 (High) applied automatically, then weighted by each environment's compliance policy (for example, e-commerce or payment-handling workloads can be escalated). Findings are routed to the right inbox inside each customer org based on image ownership and workload tags.

Available

Patch

No upstream fix version exists yet, so HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment WWBN publishes a fixed AVideo release. For customers who opt into auto-remediation, that rebuild will be regression-tested and a PR opened against affected workloads as soon as the upstream patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the AVideo processPayment.json.php endpoint over the network, typically the same HTTP(S) surface that serves the video platform.
AuthenticationRequired
Any low-privilege logged-in AVideo user account is sufficient; no admin role is needed.
Victim interactionNot required
The attacker acts entirely against their own session and wallet, with no other user needing to click or do anything.
Attack complexityDetail
Attack complexity is low: a single crafted POST with an amount parameter reliably credits the wallet, with no race or memory-layout conditions.

Blast Radius

Attackers arbitrarily inflate their own AVideo wallet balance by submitting any amount value, with no real funds moving.
Wallet ledgers, revenue reports, and any downstream payout or entitlement logic tied to wallet balance become untrustworthy.
Confidentiality and availability are not directly affected; the damage is integrity of financial state inside AVideo.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the WWBN AVideo advisory so that the moment an upstream fix ships, a patched-image rebuild is published and, for environments with auto-remediation enabled, regression-tested with a PR opened against affected workloads. In the meantime, compensating-control guidance is surfaced alongside the finding, including disabling the AuthorizeNet and YPTWallet plugins where they are not in active use, restricting network access to plugin/AuthorizeNet/processPayment.json.php via reverse-proxy rules or WAF policy, and adding alerting on unexpected YPTWallet::addBalance activity until the upstream patch lands.

See how HarborGuard automates this

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

WWBN / AVideo
<= 29.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8