CVE-2026-35448
published 2026-04-06CVE-2026-35448: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any…
PriorityP419low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
EPSS
0.32%
23.7th percentile
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
osv·2026-04-04
CVE-2026-35448 [LOW] AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
## Summary
The BlockonomicsYPT plugin's `check.php` endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated `invoice.php` page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform.
## Details
In `plugin/BlockonomicsYPT/check.php` at lines 20-30, the endpoint accepts a Bitcoin address and returns the corresponding order data:
```php
$addr = $_GET['addr'];
$order = new BlockonomicsOrder(0);
$obj = $order->getFromAddressFromDb($addr);
die(json_encode($obj));
GHSA
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
ghsa·2026-04-04
CVE-2026-35448 [LOW] CWE-862 AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
## Summary
The BlockonomicsYPT plugin's `check.php` endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated `invoice.php` page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform.
## Details
In `plugin/BlockonomicsYPT/check.php` at lines 20-30, the endpoint accepts a Bitcoin address and returns the corresponding order data:
```php
$addr = $_GET['addr'];
$order = new BlockonomicsOrder(0);
$obj = $order->getFromAddressFromDb($addr);
die(json_encode($obj));
No detection rules found.
No public exploits indexed.
2026-04-06
Published