AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug

Description

Summary

The StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID.

Details

At plugin/StripeYPT/test.php:4, the endpoint checks only for a logged-in user, not for admin privileges:

if (!User::isLogged())

At lines 27-29, the endpoint accepts a JSON payload from the request and processes it through the Stripe metadata handler:

$obj = StripeYPT::getMetadataOrFromSubscription(json_decode($_REQUEST['payload']));

The call chain proceeds as follows:
- test.php calls getMetadataOrFromSubscription()
- Which calls getSubscriptionId() to extract the subscription ID
- Which calls retrieveSubscriptions() to interact with the Stripe API

At StripeYPT.php:933, the retrieveSubscriptions() method contains a critical bug where it cancels the subscription instead of just retrieving it:

$response = $sub->cancel();

This same bug also affects the production webhook processing path via processSubscriptionIPN(), meaning both the debug endpoint and the live webhook handler can trigger unintended cancellations.

Proof of Concept

  1. Log in as any regular (non-admin) user and obtain a session cookie.

  2. Send a crafted payload to the test endpoint with a target subscription ID:

curl -b "PHPSESSID=USER_SESSION" \
  "https://your-avideo-instance.com/plugin/StripeYPT/test.php" \
  -d 'payload={"data":{"object":{"id":"sub_TARGET_SUBSCRIPTION_ID","customer":"cus_CUSTOMER_ID"}}}'
  1. The endpoint processes the payload, calls retrieveSubscriptions(), and the subscription is cancelled via the Stripe API.

  2. To enumerate subscription IDs, check if the application exposes them through other endpoints or use predictable patterns:

# Check user subscription details if accessible
curl -b "PHPSESSID=USER_SESSION" \
  "https://your-avideo-instance.com/plugin/StripeYPT/listSubscriptions.php"
  1. The Stripe subscription is now cancelled. The affected user loses access to their paid features.

Impact

Any logged-in user can cancel arbitrary Stripe subscriptions belonging to other users. This causes direct financial damage to the platform operator (lost subscription revenue) and service disruption for paying subscribers who lose access to premium features. The debug endpoint should have been removed from production or restricted to admin-only access, and the retrieveSubscriptions() method should retrieve rather than cancel subscriptions.

  • CWE-862: Missing Authorization
  • Severity: Medium

Recommended Fix

Two changes are needed:

1. Restrict the debug endpoint to admins at plugin/StripeYPT/test.php:4:

// plugin/StripeYPT/test.php:4
if (!User::isAdmin())

Change User::isLogged() to User::isAdmin() so only administrators can access the debug endpoint.

2. Fix the retrieval bug at StripeYPT.php:933:

Remove the $sub->cancel() call from retrieveSubscriptions() so that the function only retrieves subscription data without cancelling it:

// StripeYPT.php:933 - remove the following line:
// $response = $sub->cancel();

The retrieveSubscriptions() method should retrieve subscription information, not cancel subscriptions as a side effect.


Found by aisafe.io

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-01 21:06:58 UTC
Updated
2026-04-02 11:32:36 UTC
GitHub reviewed
2026-04-01 21:06:58 UTC
NVD published
2026-03-31

EPSS Score

Score Percentile
0.03% 8.86%

CVSS Scores

Base score Version Severity Vector
6.5 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-862 Missing Authorization

Credits

  • adrgs (reporter)
  • aisafe-bot (finder)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer wwbn/avideo <= 26.0

References

cvelogic Threat Intelligence