CVE-2026-47696: Authenticated Wallet Credit Bypass in WWBN AVideo AuthorizeNet Plugin
Vulnerability ID: CVE-2026-47696
CVSS Score: 7.1
Published: 2026-06-04
An authenticated wallet credit bypass vulnerability exists in WWBN AVideo version 29.0 and earlier. The AuthorizeNet plugin includes an unfinished mockup endpoint, processPayment.json.php, which lacks actual transaction verification and hardcodes success. This allows any authenticated user to credit their wallet with arbitrary balances without making any payments.
TL;DR
Authenticated users can inject arbitrary virtual funds into their wallets due to a hardcoded payment success flag and missing API validation in a placeholder endpoint.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-345
- Attack Vector: Network
- CVSS v4.0: 7.1
- CVSS v3.1: 4.3
- Exploit Status: PoC
- KEV Status: Not Listed
Affected Systems
- WWBN AVideo version 29.0 and earlier with AuthorizeNet and YPTWallet plugins enabled
-
AVideo: <= 29.0 (Fixed in:
Commit 8224024)
Exploit Details
- GitHub: Security advisory detailing the workflow and impact of the credit bypass.
Mitigation Strategies
- Upgrade WWBN AVideo to a patched version
- Manually delete the processPayment.json.php file
- Disable the AuthorizeNet plugin if not in use
Remediation Steps:
- Locate the file at plugin/AuthorizeNet/processPayment.json.php
- Verify the file contents match the vulnerable placeholder logic
- Delete the file from the filesystem
- Restart the web server or clear application cache if necessary
References
Read the full report for CVE-2026-47696 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)