CVE-2026-43883

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1

Description An authorization gap exists in the PayPalYPT plugin where the endpoint 'plugin/PayPalYPT/agreementCancel.json.php' cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying if the authenticated user owns the agreement. A low-privilege authenticated user who obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription. This leads to revenue loss for the platform and loss of paid service for the victim. The issue occurs because the server fails to verify that the logged-in user's ID matches the owner of the agreement before calling the cancelAgreement() function.

Recommendations Update to a version that includes commit 0da3dcff1eda2f497694bf82b559829471c292c2. As a temporary workaround, restrict access to the 'plugin/PayPalYPT/agreementCancel.json.php' endpoint or disable the PayPalYPT plugin until the update is applied.