Skip to content

AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug

Moderate severity GitHub Reviewed Published Mar 30, 2026 in WWBN/AVideo • Updated Apr 2, 2026

Package

composer wwbn/avideo (Composer)

Affected versions

<= 26.0

Patched versions

None

Description

Summary

The StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID.

Details

At plugin/StripeYPT/test.php:4, the endpoint checks only for a logged-in user, not for admin privileges:

if (!User::isLogged())

At lines 27-29, the endpoint accepts a JSON payload from the request and processes it through the Stripe metadata handler:

$obj = StripeYPT::getMetadataOrFromSubscription(json_decode($_REQUEST['payload']));

The call chain proceeds as follows:

  • test.php calls getMetadataOrFromSubscription()
  • Which calls getSubscriptionId() to extract the subscription ID
  • Which calls retrieveSubscriptions() to interact with the Stripe API

At StripeYPT.php:933, the retrieveSubscriptions() method contains a critical bug where it cancels the subscription instead of just retrieving it:

$response = $sub->cancel();

This same bug also affects the production webhook processing path via processSubscriptionIPN(), meaning both the debug endpoint and the live webhook handler can trigger unintended cancellations.

Proof of Concept

  1. Log in as any regular (non-admin) user and obtain a session cookie.

  2. Send a crafted payload to the test endpoint with a target subscription ID:

curl -b "PHPSESSID=USER_SESSION" \
  "https://your-avideo-instance.com/plugin/StripeYPT/test.php" \
  -d 'payload={"data":{"object":{"id":"sub_TARGET_SUBSCRIPTION_ID","customer":"cus_CUSTOMER_ID"}}}'

  1. The endpoint processes the payload, calls retrieveSubscriptions(), and the subscription is cancelled via the Stripe API.

  2. To enumerate subscription IDs, check if the application exposes them through other endpoints or use predictable patterns:

# Check user subscription details if accessible
curl -b "PHPSESSID=USER_SESSION" \
  "https://your-avideo-instance.com/plugin/StripeYPT/listSubscriptions.php"
  1. The Stripe subscription is now cancelled. The affected user loses access to their paid features.

Impact

Any logged-in user can cancel arbitrary Stripe subscriptions belonging to other users. This causes direct financial damage to the platform operator (lost subscription revenue) and service disruption for paying subscribers who lose access to premium features. The debug endpoint should have been removed from production or restricted to admin-only access, and the retrieveSubscriptions() method should retrieve rather than cancel subscriptions.

  • CWE-862: Missing Authorization
  • Severity: Medium

Recommended Fix

Two changes are needed:

1. Restrict the debug endpoint to admins at plugin/StripeYPT/test.php:4:

// plugin/StripeYPT/test.php:4
if (!User::isAdmin())

Change User::isLogged() to User::isAdmin() so only administrators can access the debug endpoint.

2. Fix the retrieval bug at StripeYPT.php:933:

Remove the $sub->cancel() call from retrieveSubscriptions() so that the function only retrieves subscription data without cancelling it:

// StripeYPT.php:933 - remove the following line:
// $response = $sub->cancel();

The retrieveSubscriptions() method should retrieve subscription information, not cancel subscriptions as a side effect.

Found by aisafe.io

References

@DanielnetoDotCom DanielnetoDotCom published to WWBN/AVideo Mar 30, 2026
Published by the National Vulnerability Database Mar 31, 2026
Published to the GitHub Advisory Database Apr 1, 2026
Reviewed Apr 1, 2026
Last updated Apr 2, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(9th percentile)

Weaknesses

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

CVE ID

CVE-2026-34737

GHSA ID

GHSA-38rh-4v39-vfxv

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.