WWBN AVideo PayPal IPN Transaction Replay Vulnerability Allowing Wallet Inflation and Subscription Renewal

A vulnerability exists in WWBN AVideo versions through 26.0 within the PayPal IPN v1 handler located at plugin/PayPalYPT/ipn.php. The issue arises because the handler lacks transaction deduplication, enabling an attacker to replay a legitimate IPN notification multiple times. This exploitation can lead to unauthorized inflation of the attacker's wallet balance and repeated renewals of subscriptions. While the newer ipnV2.php and webhook.php handlers have addressed this issue by implementing deduplication through PayPalYPT_log entries, the v1 handler remains outdated and is still actively used as the notify_url for billing plans.

Impact

Exploitation of this vulnerability allows for unlimited inflation of wallet balances and subscription renewals. Each replayed IPN notification adds the subscription amount to the attacker's wallet, enabling free access to paid content. Additionally, the repeated calls to Subscription::renew() extend subscription access indefinitely, causing financial losses for platform operators who miss out on revenue from these transactions.

Reproduction

To reproduce this vulnerability, first complete a legitimate PayPal subscription, which will generate an IPN notification to the vulnerable ipn.php handler, including the recurring_payment_id. Next, capture the IPN POST data, either from PayPal's IPN History or through network interception during the subscription process. Finally, replay the captured IPN data to the ipn.php endpoint. Each replay will pass the IPN verification and trigger the wallet balance increase and subscription renewal. This can be done manually or automated with a script.

Remediation

Users are advised to update to AVideo version 29.0 or later, where this vulnerability has been addressed.