Missing Authorization in AVideo - #VU129523
Published: May 4, 2026
Vulnerability identifier: #VU129523
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to missing authorization in payment plugin list.json.php endpoints when handling unauthenticated requests for payment log data. A remote attacker can send a specially crafted request to disclose sensitive information.
The exposed records include PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, Bitcoin payment records, user identifiers, and payment amounts.
Remediation
Install security update from vendor's website.