WWBN AVideo BlockonomicsYPT Plugin Unauthenticated Payment Data Disclosure Vulnerability

A vulnerability exists in the BlockonomicsYPT plugin for WWBN AVideo, affecting versions through 26.0. The issue arises in the plugin's check.php endpoint, which returns payment order data for any Bitcoin address without requiring authentication. This endpoint, intended as an AJAX polling helper for the authenticated invoice.php page, lacks proper access control. As a result, an attacker can query payment records for any address used on the platform, exploiting the fact that Bitcoin addresses are publicly visible on the blockchain.

Impact

The vulnerability allows for the unauthorized disclosure of payment order data, including user IDs, transaction amounts, and details. It links on-chain Bitcoin transactions to specific platform user IDs, violating the privacy of users who made cryptocurrency payments on the platform.

Reproduction

To reproduce this vulnerability, send a GET request to the BlockonomicsYPT check.php endpoint with a Bitcoin address as a parameter. No authentication is required, and the response will include payment order data for the specified address.

Remediation

It is recommended to add an authentication check to the check.php endpoint to ensure that only logged-in users can access payment order data.