WWBN AVideo's transferBalance() method in plugin/YPTWallet/YPTWallet.php suffers from a TOCTOU race condition due to lack of database transactions or row-level locking. The method reads the sender's wallet balance, checks if sufficient funds exist, then writes the new balance. Multiple concurrent authenticated requests can read the same stale balance and pass the check independently, resulting in only one deduction from the sender but multiple credits to the recipient. This vulnerability is tracked as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization). The issue affects versions up to and including 26.0. A code commit (34132ad5159784bfc7ba0d7634bb5c79b769202d) reportedly contains a fix, but no official vendor advisory or patch link is provided.

An attacker with multiple authenticated sessions can exploit this race condition to fraudulently increase the recipient's wallet balance without corresponding deductions from the sender. This leads to financial integrity issues within the platform, potentially causing monetary loss or accounting discrepancies. The CVSS score of 5.3 (medium severity) reflects the requirement for low privileges but high attack complexity and no confidentiality or availability impact.

A fix is referenced in commit 34132ad5159784bfc7ba0d7634bb5c79b769202d, indicating that a code-level correction exists. However, patch status is not explicitly confirmed by a vendor advisory. Users should review this commit and apply the fix or upgrade to a version including this fix once officially released. Until then, limiting concurrent transfer requests per user session may reduce risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.