CVE-2026-43883: CWE-639: Authorization Bypass Through User-Controlled Key in WWBN AVideo
CVE-2026-43883 is an authorization bypass vulnerability in WWBN AVideo versions up to and including 29. 0. It allows a low-privilege authenticated user to cancel another user's PayPal billing agreement by supplying the agreement ID without proper ownership verification. This can silently suspend the victim's recurring subscription, resulting in revenue loss for the platform and loss of paid service for the victim. The issue is fixed in a later commit (0da3dcff1eda2f497694bf82b559829471c292c2), but no official patch or advisory is currently provided.
AI Analysis
Technical Summary
WWBN AVideo's PayPal billing agreement cancellation endpoint (plugin/PayPalYPT/agreementCancel.json.php) does not verify that the authenticated user owns the billing agreement ID supplied in the request. This CWE-639 (Authorization Bypass Through User-Controlled Key) vulnerability enables a low-privilege authenticated user to cancel another user's PayPal billing agreement, disrupting recurring payments. The vulnerability affects versions up to 29.0. A fix is referenced in a specific commit, but no formal patch or vendor advisory is available to confirm deployment.
Potential Impact
An attacker with low privileges who obtains another user's PayPal billing agreement ID can cancel that user's recurring subscription without detection. This leads to loss of paid service for the victim and potential revenue loss for the platform. The CVSS score of 4.2 reflects a medium severity impact with low complexity and no confidentiality impact but with integrity and availability impacts.
Mitigation Recommendations
A fix for this vulnerability is indicated by a referenced commit, but no official patch or vendor advisory is currently available. Users should verify if their version includes the fix from commit 0da3dcff1eda2f497694bf82b559829471c292c2 or later. Until an official patch is released, restrict access to the affected endpoint and monitor for suspicious cancellation activity. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-43883: CWE-639: Authorization Bypass Through User-Controlled Key in WWBN AVideo
Description
CVE-2026-43883 is an authorization bypass vulnerability in WWBN AVideo versions up to and including 29. 0. It allows a low-privilege authenticated user to cancel another user's PayPal billing agreement by supplying the agreement ID without proper ownership verification. This can silently suspend the victim's recurring subscription, resulting in revenue loss for the platform and loss of paid service for the victim. The issue is fixed in a later commit (0da3dcff1eda2f497694bf82b559829471c292c2), but no official patch or advisory is currently provided.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo's PayPal billing agreement cancellation endpoint (plugin/PayPalYPT/agreementCancel.json.php) does not verify that the authenticated user owns the billing agreement ID supplied in the request. This CWE-639 (Authorization Bypass Through User-Controlled Key) vulnerability enables a low-privilege authenticated user to cancel another user's PayPal billing agreement, disrupting recurring payments. The vulnerability affects versions up to 29.0. A fix is referenced in a specific commit, but no formal patch or vendor advisory is available to confirm deployment.
Potential Impact
An attacker with low privileges who obtains another user's PayPal billing agreement ID can cancel that user's recurring subscription without detection. This leads to loss of paid service for the victim and potential revenue loss for the platform. The CVSS score of 4.2 reflects a medium severity impact with low complexity and no confidentiality impact but with integrity and availability impacts.
Mitigation Recommendations
A fix for this vulnerability is indicated by a referenced commit, but no official patch or vendor advisory is currently available. Users should verify if their version includes the fix from commit 0da3dcff1eda2f497694bf82b559829471c292c2 or later. Until an official patch is released, restrict access to the affected endpoint and monitor for suspicious cancellation activity. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T15:17:09.329Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a028749cbff5d86108b51af
Added to database: 5/12/2026, 1:50:01 AM
Last enriched: 5/12/2026, 1:55:06 AM
Last updated: 5/12/2026, 3:48:38 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.