CVE-2026-35448

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without authentication. The endpoint was intended as an AJAX polling helper for the authenticated invoice.php page but lacks its own access control checks. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform. The response includes user ID of the buyer, total payment value, currency, BTC amounts (expected and received), transaction ID, and payment status. The BlockonomicsYPT plugin is deprecated but remains functional in current installations.

Recommendations Add an authentication check at plugin/BlockonomicsYPT/check.php:17: if (!User::isLogged()) { echo json encode(["error" => "Login required"]); exit; }