(AVideo) Unauthenticated Payment Data Disclosure via BlockonomicsYPT checkphp, CVE-2026-35448 (Low)

Listen to this Post

The BlockonomicsYPT plugin for AVideo includes an endpoint at `plugin/BlockonomicsYPT/check.php` that processes AJAX polling requests for payment order data. This endpoint, located at lines 20-30, accepts a Bitcoin address via the `addr` parameter[reference:0]. It uses this address to query the database and returns a JSON object containing the corresponding order details[reference:1].
Crucially, the endpoint performs no authentication or access control checks of its own. It does not verify whether the requesting user is logged in, nor does it check if the user is authorized to view the order associated with the given address[reference:2]. While the `invoice.php` page, which is designed to consume this endpoint, does require authentication, the `check.php` endpoint itself does not inherit or enforce that requirement[reference:3].
Bitcoin addresses are publicly visible on the blockchain, making them trivial to discover[reference:4]. An attacker can easily monitor blockchain transactions to known platform wallets to identify addresses associated with the AVideo instance. By sending a simple HTTP GET request with a target address, the attacker can retrieve sensitive payment data without any session cookie or API key[reference:5].
The exposed JSON response includes the buyer’s User ID, total payment value, currency, expected and received BTC amounts, transaction ID (txid), payment status, and creation date[reference:6][reference:7]. This vulnerability allows an attacker to link public, on-chain Bitcoin transactions to specific user accounts on the platform, leading to a severe privacy breach for users who have made cryptocurrency payments.

dailycve form:

Platform: AVideo
Version: Deprecated plugin
Vulnerability : Unauthenticated data disclosure
Severity: Low
date: 2026-04-02

Prediction: Patch likely 2026-04-09

Analytics under heading What Undercode Say:

Count vulnerable plugin instances
grep -r "BlockonomicsYPT" /var/www/avideo/plugin/
Check for deprecated but active plugin
grep -r "tagged as deprecated" /var/www/avideo/plugin/BlockonomicsYPT/
Audit access logs for potential exploitation attempts
grep "check.php?addr=" /var/log/apache2/access.log

Exploit:

curl -k "https://target.com/plugin/BlockonomicsYPT/check.php?addr=1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa"

Protection from this CVE:

Add authentication check at `plugin/BlockonomicsYPT/check.php:17`:

if (!User::isLogged()) {
echo json_encode(["error" => "Login required"]);
exit;
}

Additionally, consider removing or disabling the deprecated plugin entirely.

Impact:

  • Unauthenticated disclosure of payment order data including user IDs, amounts, and transaction details.
  • Bitcoin addresses are publicly discoverable on the blockchain, linking on-chain transactions to specific platform user IDs.
  • Severe privacy violation for users who made cryptocurrency payments.
  • Deprecated plugin remains functional in existing deployments, increasing the attack surface.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top