AVideo's PayPal Handler Vulnerable to Transaction Replay Attacks

CVE Notify is flagging a critical flaw in the WWBN AVideo open-source video platform, specifically affecting versions 26.0 and earlier. The issue lies within the older PayPal Instant Payment Notification (IPN) v1 handler, located at plugin/PayPalYPT/ipn.php. According to CVE Notify, this handler is missing crucial transaction deduplication logic. This oversight allows attackers to exploit a single, legitimate IPN notification by replaying it multiple times. The consequence? An attacker could artificially inflate their wallet balance or renew subscriptions indefinitely, effectively defrauding the platform.

While newer handlers like ipnV2.php and webhook.php have implemented proper deduplication by referencing PayPalYPT_log entries, the outdated v1 handler remains a significant risk. CVE Notify points out that this vulnerable script is still actively referenced as the notify_url for existing billing plans. This means that even if users aren’t aware of the older handler, systems configured to use it are susceptible to this replay attack.

The vulnerability, tracked as CVE-2026-39366, highlights the persistent danger of maintaining legacy code, especially in payment processing modules. The fix, referenced in a GitHub commit, addresses the missing deduplication in the v1 handler, but the continued reliance on it in billing configurations presents an ongoing threat until all legacy configurations are updated.