CVE-2026-34395

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The plugin/YPTWallet/view/users.json.php endpoint in AVideo allows any authenticated user to access personal information and wallet balances of all platform users. The endpoint incorrectly checks User::isLogged() instead of User::isAdmin(), bypassing the necessary authorization control. This allows any registered user to extract the complete user database, including Personally Identifiable Information (PII) such as emails, phone numbers, addresses, birth dates, real names, and financial data like wallet balances. The query in YPTWallet::getAllUsers() selects all columns from the users and wallet tables. While the cleanUpRowFromDatabase() function removes the password and recoverPass fields, other sensitive data remains exposed. The issue affects the API endpoint ''/plugin/YPTWallet/view/users.json.php'' which uses the User::isLogged() function for authorization. The vulnerable parameter is current and rowCount.

Recommendations Change User::isLogged() to User::isAdmin() at plugin/YPTWallet/view/users.json.php:8.