CVE-2026-43879

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.0

Description An authenticated user can configure a donation-notification webhook URL to point to internal, loopback, or metadata hosts, such as http://127.0.0.1:8080/ or http://169.254.169.254/latest/. When another user makes a donation via the 'plugin/CustomizeUser/donate.json.php' endpoint, the server issues a curl POST request to the attacker-supplied URL, resulting in a blind Server-Side Request Forgery (SSRF). This occurs because the system uses isValidURL() for basic format checking instead of the more secure isSSRFSafeURL() helper. Furthermore, the CURLOPT FOLLOWLOCATION option is enabled without per-hop revalidation, allowing an attacker to use an HTTP 307 redirect from an external host to bypass validation and target internal resources. The request body includes several variables, including message, which is attacker-controlled.

Recommendations Update to a version that includes commit aaacd48f29f1ff71d1eb5fc81d37605f593cefa9. As a temporary mitigation, restrict access to the 'plugin/YPTWallet/view/saveConfiguration.php' endpoint or disable the donation-notification webhook functionality.