{"vulnerability": "cve-2026-47696", "sightings": [{"uuid": "44d08af3-49f5-4af1-b830-e22a855c0e9c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-47696", "type": "published-proof-of-concept", "source": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8", "content": "", "creation_timestamp": "2026-05-19T15:01:00.000000Z"}, {"uuid": "2764ea58-f7f9-4954-a57a-a9fc6a629c4b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47696", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmz35lsz4e23", "content": "CVE-2026-47696 - WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint\nCVE ID : CVE-2026-47696\n \n Published : May 29, 2026, 2:16 p.m. | 1\u00a0hour, 55\u00a0minutes ago\n \n Description : WWBN AVideo is an open source video platform. In 29.0 and earlier, ...", "creation_timestamp": "2026-05-29T17:35:59.518044Z"}, {"uuid": "a4b181c7-1aee-421d-8a84-ebc1516b0bb6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47696", "type": "seen", "source": "https://gist.github.com/alon710/8d83dcf8c5f6eaceac335292cf54a077", "content": "# CVE-2026-47696: CVE-2026-47696: Authenticated Wallet Credit Bypass in WWBN AVideo AuthorizeNet Plugin\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-06-04\n> **Full Report:** https://cvereports.com/reports/CVE-2026-47696\n\n## Summary\nAn authenticated wallet credit bypass vulnerability exists in WWBN AVideo version 29.0 and earlier. The AuthorizeNet plugin includes an unfinished mockup endpoint, processPayment.json.php, which lacks actual transaction verification and hardcodes success. This allows any authenticated user to credit their wallet with arbitrary balances without making any payments.\n\n## TL;DR\nAuthenticated users can inject arbitrary virtual funds into their wallets due to a hardcoded payment success flag and missing API validation in a placeholder endpoint.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-345\n- **Attack Vector**: Network\n- **CVSS v4.0**: 7.1\n- **CVSS v3.1**: 4.3\n- **Exploit Status**: PoC\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- WWBN AVideo version 29.0 and earlier with AuthorizeNet and YPTWallet plugins enabled\n- **AVideo**: <= 29.0 (Fixed in: `Commit 8224024`)\n\n## Mitigation\n\n- Upgrade WWBN AVideo to a patched version\n- Manually delete the processPayment.json.php file\n- Disable the AuthorizeNet plugin if not in use\n\n**Remediation Steps:**\n1. Locate the file at plugin/AuthorizeNet/processPayment.json.php\n2. Verify the file contents match the vulnerable placeholder logic\n3. Delete the file from the filesystem\n4. Restart the web server or clear application cache if necessary\n\n## References\n\n- [GitHub Security Advisory GHSA-9392-pj54-qqf8](https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8)\n- [Patch Commit deleting processPayment.json.php](https://github.com/WWBN/AVideo/commit/822402444b4db4e9442779c8c789ffe5312b3627)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-47696) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T19:40:55.000000Z"}, {"uuid": "a01ddf88-c4d5-486a-aac8-69429bbebe7f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47696", "type": "seen", "source": "https://gist.github.com/alon710/94ad07ac90371ecb50e3be0d7c9cdb9e", "content": "# CVE-2026-47696: CVE-2026-47696: Authenticated Wallet Credit Bypass in WWBN AVideo AuthorizeNet Plugin\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-06-04\n> **Full Report:** https://cvereports.com/reports/CVE-2026-47696\n\n## Summary\nAn authenticated wallet credit bypass vulnerability exists in WWBN AVideo version 29.0 and earlier. The AuthorizeNet plugin includes an unfinished mockup endpoint, processPayment.json.php, which lacks actual transaction verification and hardcodes success. This allows any authenticated user to credit their wallet with arbitrary balances without making any payments.\n\n## TL;DR\nAuthenticated users can inject arbitrary virtual funds into their wallets due to a hardcoded payment success flag and missing API validation in a placeholder endpoint.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-345\n- **Attack Vector**: Network\n- **CVSS v4.0**: 7.1\n- **CVSS v3.1**: 4.3\n- **Exploit Status**: PoC\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- WWBN AVideo version 29.0 and earlier with AuthorizeNet and YPTWallet plugins enabled\n- **AVideo**: <= 29.0 (Fixed in: `Commit 8224024`)\n\n## Mitigation\n\n- Upgrade WWBN AVideo to a patched version\n- Manually delete the processPayment.json.php file\n- Disable the AuthorizeNet plugin if not in use\n\n**Remediation Steps:**\n1. Locate the file at plugin/AuthorizeNet/processPayment.json.php\n2. Verify the file contents match the vulnerable placeholder logic\n3. Delete the file from the filesystem\n4. Restart the web server or clear application cache if necessary\n\n## References\n\n- [GitHub Security Advisory GHSA-9392-pj54-qqf8](https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8)\n- [Patch Commit deleting processPayment.json.php](https://github.com/WWBN/AVideo/commit/822402444b4db4e9442779c8c789ffe5312b3627)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-47696) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T19:50:59.000000Z"}]}