WWBN AVideo YPTWallet Stripe Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the YPTWallet Stripe payment confirmation page of WWBN AVideo, in versions through 26.0. The issue arises because the page directly outputs the `$_REQUEST['plugin']` parameter into a JavaScript block without any proper encoding or sanitization. This parameter is not filtered by the application's security framework, allowing attackers to inject arbitrary JavaScript. Exploitation of this vulnerability is particularly concerning as it also exposes the current user's username and password hash, enabling immediate credential theft.

Impact

Successful exploitation allows for the execution of arbitrary JavaScript in the context of the affected user. This could lead to session hijacking, payment manipulation, or account takeover, especially given the lack of Content-Security-Policy headers which would normally restrict such actions.

Reproduction

To reproduce this vulnerability, navigate to the 'addFunds.php' page which includes the vulnerable 'confirmButton.php' template. Then, send a crafted URL that injects JavaScript into the 'plugin' parameter. Once the payload is executed, the injected JavaScript can access and exfiltrate the user's credentials that are leaked on the same page.

Remediation

Users are advised to update the 'plugin' parameter handling in 'confirmButton.php' to ensure proper JSON encoding. The vulnerability has been fixed in the latest commit.