CVE-2026-34737 is a missing authorization vulnerability (CWE-862) found in the StripeYPT plugin of the open-source WWBN AVideo platform, affecting versions 26.0 and earlier. The vulnerability arises because the test.php debug endpoint, intended for administrative use, is accessible to any authenticated user. This endpoint processes Stripe webhook-style payloads to perform subscription-related operations. However, a critical bug in the retrieveSubscriptions() method causes it to cancel subscriptions instead of merely retrieving them. Consequently, an authenticated user can craft a request with an arbitrary subscription ID to cancel any Stripe subscription managed by the platform. This flaw violates proper authorization controls, allowing privilege escalation within the subscription management context. The vulnerability has a CVSS 3.1 base score of 6.5 (medium severity), reflecting its ease of exploitation by any logged-in user without user interaction and its impact on subscription integrity. No patches or official fixes are available at the time of disclosure, and no known exploits have been observed in the wild. The issue primarily threatens the integrity of subscription billing and service continuity for affected users.

The primary impact of this vulnerability is on the integrity of subscription management within organizations using WWBN AVideo with the StripeYPT plugin. Attackers with valid user credentials can cancel arbitrary subscriptions, potentially causing financial loss, service disruption for legitimate subscribers, and reputational damage. This could lead to customer dissatisfaction and increased support costs. While confidentiality and availability are not directly affected, the unauthorized cancellation of subscriptions undermines trust in the platform's billing system and may disrupt revenue streams. Organizations relying on subscription-based monetization through Stripe integrated with AVideo are particularly at risk. The vulnerability could also be leveraged for targeted attacks against high-value subscribers or to cause operational disruptions. Since exploitation requires only authenticated access, insider threats or compromised user accounts pose a significant risk vector.

To mitigate this vulnerability, organizations should immediately restrict access to the test.php debug endpoint to administrators only, for example by implementing strict access controls or IP whitelisting at the web server or application level. Disable or remove the StripeYPT plugin's debug endpoints if not required in production environments. Monitor subscription cancellation logs for unusual or unauthorized activity to detect potential exploitation attempts. Implement multi-factor authentication (MFA) to reduce the risk of account compromise by attackers seeking authenticated access. Until an official patch is released, consider isolating or limiting the use of the StripeYPT plugin or migrating subscription management to alternative secure methods. Engage with the WWBN AVideo community or vendor for updates and patches. Conduct regular security reviews of third-party plugins and debug endpoints to prevent similar authorization bypass issues.