WWBN AVideo Mass User Personal Information Disclosure Vulnerability

A vulnerability exists in WWBN AVideo versions through 26.0, where the plugin/YPTWallet/view/users.json.php endpoint improperly authorizes user access. This endpoint allows any authenticated user to retrieve a complete list of all platform users, including personal information and wallet balances. The issue arises because the endpoint only verifies if a user is logged in, without checking for administrative privileges. As a result, any registered user can access sensitive data from the entire user database.

Impact

Exploitation of this vulnerability leads to unauthorized access to personal information of all users on the platform, including email addresses, phone numbers, physical addresses, birth dates, real names, and financial data such as wallet balances. This constitutes a mass data breach, potentially triggering notification requirements under GDPR or CCPA.

Reproduction

To reproduce this vulnerability, log in as any regular (non-admin) user. Once authenticated, send a POST request to the plugin/YPTWallet/view/users.json.php endpoint. The response will include data for all users on the platform, such as email addresses, phone numbers, physical addresses, birth dates, real names, and wallet balances.

Remediation

To address this vulnerability, modify the authorization check in the users.json.php file to require administrative privileges. This can be done by replacing the current check for User::isLogged() with User::isAdmin().