AVideo PayPalYPT plugin, Missing Authorization, CVE-2024-XXXX (Medium)

By /

Listen to this Post

How the CVE works (20 lines):

  1. The AVideo PayPalYPT plugin has two endpoints to cancel a PayPal billing agreement.
  2. Only `PayPalAgreementCancel.json.php` checks ownership (admin or agreement owner).

3. The duplicate `agreementCancel.json.php` lacks this check.

  1. It only verifies that the user is logged in (twice, redundantly).
  2. An attacker logs in as any low-privilege user (e.g., free subscriber).
  3. They obtain another user’s PayPal agreement ID (e.g., from error logs, receipts, or admin screens).
  4. The attacker sends a POST request to `agreementCancel.json.php` with agreement=<victim_id>.
  5. No verification links the agreement ID to the authenticated user.
  6. The server calls `PayPalYPT::cancelAgreement()` with the attacker-supplied ID.
  7. This function fetches the PayPal billing agreement object.

11. It then calls `$createdAgreement->suspend()` unconditionally.

12. PayPal suspends the victim’s recurring billing agreement.

  1. The victim stops being billed, and AVideo marks the subscription inactive.
  2. The intended UI (subscriptions_list.php) posts only the user’s own agreements.
  3. However, the server accepts any `agreement` parameter from any logged‑in user.
  4. No CSRF token is required, but the core flaw is missing authorization.
  5. The sister endpoint’s check shows the developer intended ownership verification.
  6. The duplicate endpoint was likely left over from development.
  7. Agreement IDs leak via `_error_log` entries, webhooks, and PayPal emails.
  8. Any authenticated user can silently cancel any other user’s PayPal subscription.

dailycve form:

Platform: AVideo
Version: Before patch
Vulnerability: Missing authorization
Severity: Medium
Date: 2024-06-01

Prediction: Patch already released

What Undercode Say:

Simulate the vulnerability (for educational testing only)
curl -X POST 'https://target.example/plugin/PayPalYPT/agreementCancel.json.php' \
-b 'PHPSESSID=attacker_session_cookie' \
-d 'agreement=I-ABCD1234XYZ'

Exploit:

Authenticated attacker sends POST with victim’s agreement ID to unprotected endpoint → PayPal suspends victim’s billing agreement via `suspend()` call.

Protection from this CVE:

Add ownership check: `if (!User::isAdmin() && !Subscription::isAgreementFromUser($_REQUEST[‘agreement’], User::getId())) { die; }` or delete the duplicate endpoint.

Impact:

Revenue loss for platform; service disruption for victim; any authenticated user can cancel any PayPal recurring subscription.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top