CVE-2026-33731 in AVideoinfo

Summary

by MITRE • 07/17/2026

WWBN AVideo is an open source video platform. In versions prior to 29.0, the Authorize.Net webhook handler at plugin/AuthorizeNet/webhook.php contains a signature verification bypass that allows an attacker to forge webhook requests with arbitrary payment amounts and target user IDs. By supplying a valid transaction ID from a small legitimate purchase, the attacker bypasses signature validation and credits arbitrary wallet balances to any user account via attacker-controlled payload fields. Three flaws combine into an exploit chain: signature bypass via OR logic (webhook.php:33), payload values override API-fetched values (AuthorizeNet.php:169-171, webhook.php:44-48) and a missing approval check (webhook.php:61-75). By forging payment metadata, an attacker can credit arbitrary amounts to any user's wallet without a corresponding payment and include a  plans_id  to activate premium subscriptions (webhook.php:86-134), enabling free access to all paid and premium content and causing direct revenue loss to the platform owner. This issue has been fixed in version 29.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability in AVideo's Authorize.Net webhook handler represents a critical security flaw that undermines the platform's financial integrity and user account management systems. This issue affects versions prior to 29.0 and stems from a fundamental design weakness in how the system validates incoming payment notifications. The vulnerability operates through a sophisticated exploit chain that combines multiple technical weaknesses to create a comprehensive attack vector capable of bypassing core security controls.

The primary technical flaw manifests in the webhook.php file at line 33 where an insecure OR logic operation allows attackers to bypass signature verification entirely. This occurs when the system accepts valid transaction IDs from small legitimate purchases while simultaneously ignoring proper cryptographic signature validation. The vulnerability is classified under CWE-347 as it involves improper verification of cryptographic signatures, making it susceptible to man-in-the-middle attacks and unauthorized transaction manipulation. Additionally, this flaw aligns with ATT&CK technique T1078.004 which covers valid accounts used for unauthorized access.

The exploitation chain continues through payload manipulation in AuthorizeNet.php at lines 169-171 and webhook.php at lines 44-48 where attacker-controlled values can override legitimate API-fetched data. This parameter pollution vulnerability enables attackers to substitute genuine payment information with fabricated amounts, user IDs, and other transaction metadata. The system's failure to properly validate or sanitize these fields creates a second vector of attack that compounds the initial signature bypass issue.

A critical missing control exists in webhook.php at lines 61-75 where no proper approval check validates the legitimacy of incoming transactions before processing them. This absence allows forged payments to proceed directly into the system's financial processing pipeline without verification. The vulnerability extends beyond simple balance manipulation as attackers can also inject arbitrary plans_id values between lines 86-134 to activate premium subscriptions automatically. This creates a complete revenue loss scenario where unauthorized users gain access to paid content and premium features without making actual payments.

The combined impact of these three vulnerabilities creates an exploit chain that directly affects the platform's business model and user trust. Attackers can credit arbitrary wallet balances to any user account while simultaneously activating premium subscriptions, effectively providing free access to all paid content. This represents a significant financial risk for platform operators and demonstrates a complete breakdown in the payment processing security controls. The fix implemented in version 29.0 addresses these issues through proper signature validation, input sanitization, and mandatory approval checks that prevent unauthorized transaction processing.

The vulnerability highlights the importance of defense-in-depth principles in payment systems where multiple security layers must work together to prevent exploitation. Organizations should implement proper cryptographic verification mechanisms as outlined in NIST SP 800-57 and ensure that all external inputs are validated against known good data sources. The attack pattern described here also demonstrates how seemingly minor implementation flaws can compound to create severe business impact, emphasizing the need for comprehensive security testing including penetration testing and threat modeling exercises before deploying payment processing systems.

Responsible

GitHub M

Reservation

03/23/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!