WWBN AVideo PayPal Agreement Cancellation Vulnerability Allows Unauthorized Subscription Cancellations

A vulnerability in WWBN AVideo versions through 29.0 allows low-privilege authenticated users to cancel arbitrary PayPal billing agreements. The issue arises in the `plugin/PayPalYPT/agreementCancel.json.php` file, where the cancellation process does not verify if the user requesting the cancellation actually owns the agreement. This oversight enables a user to suspend another user's subscription, leading to potential revenue loss for the platform and disruption of service for the affected user.

Impact

Exploitation of this vulnerability allows any authenticated user to silently cancel another user's active PayPal subscription, causing the victim to lose access to paid services and disrupting revenue for the platform.

Reproduction

To reproduce this vulnerability, log in as a low-privilege user and obtain a target user's PayPal agreement ID. This ID can be found in server error logs, email receipts, or through administrative payment screens. Once the agreement ID is obtained, send a POST request to `plugin/PayPalYPT/agreementCancel.json.php` with the victim's agreement ID included. The response will indicate a successful cancellation, which can be verified by checking the subscription status in AVideo.

Remediation

The vulnerability has been patched in commit 0da3dcff1eda2f497694bf82b559829471c292c2, which adds the necessary ownership verification to the cancellation process.