WWBN AVideo StripeYPT Plugin Subscription Cancellation Vulnerability

A vulnerability exists in the WWBN AVideo platform, specifically in versions through 26.0, within the StripeYPT plugin. The issue arises from a debug endpoint, test.php, which is accessible to all logged-in users, not just administrators. This endpoint processes Stripe webhook-style payloads and initiates subscription operations, including cancellations. A bug in the retrieveSubscriptions() method allows any authenticated user to cancel arbitrary Stripe subscriptions by providing a subscription ID. At the time of publication, no patches are available.

Impact

The vulnerability allows any logged-in user to cancel arbitrary Stripe subscriptions of other users, leading to financial loss for the platform operator and disruption of service for affected subscribers who lose access to premium features.

Reproduction

To reproduce this vulnerability, log in as a regular user and obtain a session cookie. Then, send a payload to the test endpoint including a target subscription ID. The endpoint will process the payload, call the retrieveSubscriptions() method, and cancel the subscription via the Stripe API. This vulnerability can also be reproduced through the production webhook processing path, which similarly cancels subscriptions instead of just retrieving them.

Remediation

To address this vulnerability, the debug endpoint should be restricted to admin access, and the retrieveSubscriptions() method should be corrected to only retrieve subscription data without cancelling it.