{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34737", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.754Z", "datePublished": "2026-03-31T20:53:51.550Z", "dateUpdated": "2026-04-03T16:34:47.338Z"}, "containers": {"cna": {"title": "AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:53:51.550Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-38rh-4v39-vfxv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:34:16.091055Z", "id": "CVE-2026-34737", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:34:47.338Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34737", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:34:16.091055Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:34:42.934Z"}}], "cna": {"title": "AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug", "source": {"advisory": "GHSA-38rh-4v39-vfxv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:53:51.550Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34737", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:34:47.338Z", "dateReserved": "2026-03-30T18:41:20.754Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T20:53:51.550Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches."}], "id": "CVE-2026-34737", "lastModified": "2026-04-01T18:45:32.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T21:16:32.247", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-02T05:15:21.815928+00:00", "value": {"mitigation_remediation": ["Disable or restrict the test.php debug endpoint so that only administrators can access it.", "Rename or remove the debug endpoint to eliminate the accidental cancellation trigger.", "Upgrade WWBN AVideo to a version newer than 26.0 once the vendor releases a fix for the retrieveSubscriptions() bug.", "Enforce strict role\u2011based access control to prevent ordinary users from calling any endpoint that interacts with Stripe functions.", "Monitor Stripe account logs for unexpected cancellations and investigate anomalies promptly."], "summary": {"action": "Restrict Access", "impact": "Subscription cancellation"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the StripeYPT plugin bundled with WWBN AVideo releases 26.0 through the earliest available versions. Any installation that has not applied a later fix and still includes the test.php debug endpoint is exposed. The flaw is limited to environments where the plugin is active and the debug page is reachable, but the attack does not require elevated administrative privileges\u2014only a logged\u2011in user account is sufficient.", "description_and_impact": "In open\u2011source video platforms running WWBN AVideo version 26.0 or earlier, a debug endpoint named test.php is exposed to every logged\u2011in user. The endpoint accepts Stripe\u2011style payloads and, due to a fault in the retrieveSubscriptions() routine, initiates cancellation of the subscription rather than only retrieving information. An attacker who authenticates to the site can therefore supply any Stripe subscription identifier and cause that subscription to terminate, resulting in irreversible financial loss and service disruption. The weakness is an access\u2011control flaw that allows authenticated users to execute privileged actions (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity, and the EPSS score of less than 1% suggests a currently low probability of exploitation. However, because the vulnerability requires only authentication and no high\u2011privilege access, it provides a straightforward path to customer\u2011owned payment accounts for miscreants. The issue is not yet catalogued by CISA as a known exploited vulnerability, but that does not diminish the potential impact for users. Until an official patch is released, organizations should be vigilant for unexplained Stripe cancellations and consider restricting or disabling the affected endpoint."}}}}, "created": "2026-04-02T07:52:21.717515+00:00", "updated": "2026-04-02T20:10:37.103118+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}