GHSA-958H-QP3X-Q4GJ

Vulnerability from github – Published: 2026-05-05 22:16 – Updated: 2026-05-13 14:20
VLAI
Summary
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
Details

Summary

plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim.

Details

AVideo's PayPalYPT plugin ships two near-duplicate endpoints that cancel a PayPal billing agreement. Only one of them enforces ownership:

  • plugin/PayPalYPT/PayPalAgreementCancel.json.php:19 — correctly requires either admin or the agreement's owner: php if (!User::isAdmin() && !Subscription::isAgreementFromUser($_POST['agreement_id'], User::getId())) { $obj->msg = "Only the owner can delete his agreement"; die(json_encode($obj)); }

  • plugin/PayPalYPT/agreementCancel.json.php:9-26 — only checks User::isLogged() (in fact twice, redundantly) and then calls the cancellation directly:

php if (!User::isLogged()) { ... die; } // line 9 if (empty($_REQUEST['agreement'])) { ... die; } // line 14 if (!User::isLogged()) { ... die; } // line 19 — duplicate; no ownership check $plugin = AVideoPlugin::loadPluginIfEnabled("PayPalYPT"); $agreement = PayPalYPT::cancelAgreement($_REQUEST['agreement']); // line 26

PayPalYPT::cancelAgreement() at plugin/PayPalYPT/PayPalYPT.php:548-566 resolves the agreement ID against PayPal and calls $createdAgreement->suspend($agreementStateDescriptor, $apiContext) unconditionally — the server does not verify that the logged-in user's users_id matches the owner recorded in PayPalYPT_log (or wherever the agreement was registered):

public static function cancelAgreement($agreement_id)
{
    ...
    $createdAgreement = self::getBillingAgreement($agreement_id);
    try {
        $createdAgreement->suspend($agreementStateDescriptor, $apiContext);
        return Agreement::get($createdAgreement->getId(), $apiContext);
    } catch (Exception $ex) {
        return false;
    }
}

The intended UI caller is subscriptions_list.php:84 which posts the current user's own agreement IDs — but the server accepts any agreement parameter from any logged-in user. Agreement IDs can leak via _error_log entries written in agreementCancel.json.php:34 and webhook.php during normal operation, via PayPal receipt emails, or via other administrative and payment-log screens. No CSRF token is required, but the root defect is missing authorization, not CSRF.

PoC

  1. Log in as any low-privilege user (registered subscriber, commenter, free-tier account created via signUp).
  2. Obtain the target's PayPal agreement ID (e.g., I-ABCD1234XYZ). This may come from server error logs, email receipts, admin/payment screens, or other disclosures.
  3. Send the request with the victim's agreement ID:

bash curl -X POST 'https://target.example/plugin/PayPalYPT/agreementCancel.json.php' \ -b 'PHPSESSID=<attacker_session>' \ -d 'agreement=I-ABCD1234XYZ'

  1. Expected response: json {"error":false,"msg":""} The victim's billing agreement is suspended at PayPal via Agreement::suspend() (PayPalYPT.php:560). The victim stops being billed; AVideo subsequently reflects the subscription as inactive.

Impact

  • Any authenticated user can silently cancel another user's active PayPal recurring billing agreement.
  • Revenue disruption for the platform operator — any affected subscribers stop being billed.
  • Service disruption for the victim — their paid subscription lapses.
  • The defect is purely an authorization gap; the sister endpoint PayPalAgreementCancel.json.php demonstrates that the owner/admin check was intentional for this action but was not applied to this duplicate.

Recommended Fix

Port the ownership check from the sister endpoint into agreementCancel.json.php:

if (!User::isAdmin() && !Subscription::isAgreementFromUser($_REQUEST['agreement'], User::getId())) {
    $obj->msg = "Only the owner can cancel this agreement";
    die(json_encode($obj));
}

Alternative, preferred remediation: delete the duplicate agreementCancel.json.php entirely and point the cancelAgreement() JS helper in subscriptions_list.php:84 at the already-protected PayPalAgreementCancel.json.php endpoint (sending the expected agreement_id POST field). While patching, also remove the redundant second User::isLogged() branch at line 19.

Severity
4.2 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T22:16:12Z",
    "nvd_published_at": "2026-05-11T22:22:12Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`plugin/PayPalYPT/agreementCancel.json.php` cancels a PayPal billing agreement using an attacker-supplied `agreement` parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user\u0027s PayPal billing agreement ID can silently suspend the victim\u0027s recurring subscription, causing revenue loss to the platform and loss of paid service to the victim.\n\n## Details\n\nAVideo\u0027s PayPalYPT plugin ships two near-duplicate endpoints that cancel a PayPal billing agreement. Only one of them enforces ownership:\n\n- `plugin/PayPalYPT/PayPalAgreementCancel.json.php:19` \u2014 correctly requires either admin or the agreement\u0027s owner:\n  ```php\n  if (!User::isAdmin() \u0026\u0026 !Subscription::isAgreementFromUser($_POST[\u0027agreement_id\u0027], User::getId())) {\n      $obj-\u003emsg = \"Only the owner can delete his agreement\";\n      die(json_encode($obj));\n  }\n  ```\n\n- `plugin/PayPalYPT/agreementCancel.json.php:9-26` \u2014 only checks `User::isLogged()` (in fact twice, redundantly) and then calls the cancellation directly:\n\n  ```php\n  if (!User::isLogged()) { ... die; }              // line 9\n  if (empty($_REQUEST[\u0027agreement\u0027])) { ... die; }   // line 14\n  if (!User::isLogged()) { ... die; }              // line 19 \u2014 duplicate; no ownership check\n  $plugin = AVideoPlugin::loadPluginIfEnabled(\"PayPalYPT\");\n  $agreement = PayPalYPT::cancelAgreement($_REQUEST[\u0027agreement\u0027]);  // line 26\n  ```\n\n`PayPalYPT::cancelAgreement()` at `plugin/PayPalYPT/PayPalYPT.php:548-566` resolves the agreement ID against PayPal and calls `$createdAgreement-\u003esuspend($agreementStateDescriptor, $apiContext)` unconditionally \u2014 the server does not verify that the logged-in user\u0027s `users_id` matches the owner recorded in `PayPalYPT_log` (or wherever the agreement was registered):\n\n```php\npublic static function cancelAgreement($agreement_id)\n{\n    ...\n    $createdAgreement = self::getBillingAgreement($agreement_id);\n    try {\n        $createdAgreement-\u003esuspend($agreementStateDescriptor, $apiContext);\n        return Agreement::get($createdAgreement-\u003egetId(), $apiContext);\n    } catch (Exception $ex) {\n        return false;\n    }\n}\n```\n\nThe intended UI caller is `subscriptions_list.php:84` which posts the current user\u0027s own agreement IDs \u2014 but the server accepts any `agreement` parameter from any logged-in user. Agreement IDs can leak via `_error_log` entries written in `agreementCancel.json.php:34` and `webhook.php` during normal operation, via PayPal receipt emails, or via other administrative and payment-log screens. No CSRF token is required, but the root defect is missing authorization, not CSRF.\n\n## PoC\n\n1. Log in as any low-privilege user (registered subscriber, commenter, free-tier account created via `signUp`).\n2. Obtain the target\u0027s PayPal agreement ID (e.g., `I-ABCD1234XYZ`). This may come from server error logs, email receipts, admin/payment screens, or other disclosures.\n3. Send the request with the victim\u0027s agreement ID:\n\n   ```bash\n   curl -X POST \u0027https://target.example/plugin/PayPalYPT/agreementCancel.json.php\u0027 \\\n     -b \u0027PHPSESSID=\u003cattacker_session\u003e\u0027 \\\n     -d \u0027agreement=I-ABCD1234XYZ\u0027\n   ```\n\n4. Expected response:\n   ```json\n   {\"error\":false,\"msg\":\"\"}\n   ```\n   The victim\u0027s billing agreement is suspended at PayPal via `Agreement::suspend()` (PayPalYPT.php:560). The victim stops being billed; AVideo subsequently reflects the subscription as inactive.\n\n## Impact\n\n- Any authenticated user can silently cancel another user\u0027s active PayPal recurring billing agreement.\n- Revenue disruption for the platform operator \u2014 any affected subscribers stop being billed.\n- Service disruption for the victim \u2014 their paid subscription lapses.\n- The defect is purely an authorization gap; the sister endpoint `PayPalAgreementCancel.json.php` demonstrates that the owner/admin check was intentional for this action but was not applied to this duplicate.\n\n## Recommended Fix\n\nPort the ownership check from the sister endpoint into `agreementCancel.json.php`:\n\n```php\nif (!User::isAdmin() \u0026\u0026 !Subscription::isAgreementFromUser($_REQUEST[\u0027agreement\u0027], User::getId())) {\n    $obj-\u003emsg = \"Only the owner can cancel this agreement\";\n    die(json_encode($obj));\n}\n```\n\nAlternative, preferred remediation: delete the duplicate `agreementCancel.json.php` entirely and point the `cancelAgreement()` JS helper in `subscriptions_list.php:84` at the already-protected `PayPalAgreementCancel.json.php` endpoint (sending the expected `agreement_id` POST field). While patching, also remove the redundant second `User::isLogged()` branch at line 19.",
  "id": "GHSA-958h-qp3x-q4gj",
  "modified": "2026-05-13T14:20:37Z",
  "published": "2026-05-05T22:16:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43883"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.