PatchSiren cyber security CVE debrief

CVE-2026-47696 WWBN CVE debrief

## Summary CVE-2026-47696 is a **HIGH-severity (CVSS 7.1)** vulnerability in WWBN AVideo, an open-source video platform. In versions 29.0 and earlier, the Authorize.Net payment processing endpoint (`plugin/AuthorizeNet/processPayment.json.php`) contains a critical logic flaw: it **hardcodes `$paymentSuccess = true`** and credits the logged-in user's wallet based solely on an attacker-controlled `amount` POST parameter, without validating any actual Authorize.Net transaction, webhook signature, payment token, or server-side payment record. This allows any authenticated user to arbitrarily inflate their AVideo wallet balance when both the AuthorizeNet and YPTWallet plugins are enabled. ## Technical Analysis The vulnerability stems from **incomplete payment integration code** marked with a TODO comment for implementing real Authorize.Net charging. The affected endpoint: 1. Accepts a user-supplied `amount` parameter via POST request 2. Sets `$paymentSuccess = true` unconditionally 3. Calls `YPTWallet::addBalance()` to credit the user's wallet without any verification of actual payment completion This represents a **CWE-345: Insufficient Verification of Data Authenticity** weakness, as the system fails to verify that a legitimate financial transaction occurred before granting wallet credits. ## Attack Scenario An attacker with valid AVideo credentials can: 1. Authenticate to the platform 2. Send a crafted POST request to `plugin/AuthorizeNet/processPayment.json.php` with an arbitrary `amount` value 3. Receive immediate wallet credit without any actual payment processing The attack requires **low attack complexity**, **no user interaction**, and **network access** to the vulnerable instance. ## Affected Versions - **WWBN AVideo 29.0 and earlier** The vulnerability is **conditional on both AuthorizeNet and YPTWallet plugins being enabled**. ## Risk Assessment | Factor | Assessment | |--------|-----------| | **Confidentiality Impact** | None (VC:N) | | **Integrity Impact** | High (VI:H) — unauthorized wallet balance modification | | **Availability Impact** | None (VA:N) | | **Attack Vector** | Network (AV:N) | | **Privileges Required** | Low (PR:L) — valid

Vendor: WWBN
Product: AVideo
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations operating AVideo platforms with e-commerce or monetization features enabled; security teams monitoring payment flow integrity; compliance auditors reviewing financial transaction validation controls

Technical summary

The AuthorizeNet plugin's processPayment.json.php endpoint in AVideo ≤29.0 hardcodes payment success and credits wallets based on unvalidated user input, enabling arbitrary balance inflation by authenticated users

Defensive priority

HIGH

Recommended defensive actions

Verify whether AVideo instances in your environment run version 29.0 or earlier with AuthorizeNet and YPTWallet plugins enabled
Review application logs for suspicious POST requests to plugin/AuthorizeNet/processPayment.json.php with large or unusual amount parameters
Audit YPTWallet transaction records for balance additions lacking corresponding Authorize.Net settlement records
Apply vendor-provided patches or upgrade to a fixed version when available
If immediate patching is not possible, consider disabling the AuthorizeNet plugin or implementing WAF rules to validate payment callbacks
Monitor for anomalous wallet balance increases that do not correlate with legitimate payment flows

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. CVSS 4.0 vector confirms network attack vector, low privileges required, and high integrity impact. GitHub Security Advisory GHSA-9392-pj54-qqf8 identified as primary source reference. CWE-345 classification confirmed via NVD weakness data.

Official resources

2026-05-29