Summary
plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim.
Details
AVideo's PayPalYPT plugin ships two near-duplicate endpoints that cancel a PayPal billing agreement. Only one of them enforces ownership:
plugin/PayPalYPT/PayPalAgreementCancel.json.php:19, correctly requires either admin or the agreement's owner:if (!User::isAdmin() && !Subscription::isAgreementFromUser($_POST['agreement_id'], User::getId())) { $obj->msg = "Only the owner can delete his agreement"; die(json_encode($obj)); }plugin/PayPalYPT/agreementCancel.json.php:9-26, only checksUser::isLogged()(in fact twice, redundantly) and then calls the cancellation directly:if (!User::isLogged()) { ... die; } // line 9 if (empty($_REQUEST['agreement'])) { ... die; } // line 14 if (!User::isLogged()) { ... die; } // line 19, duplicate; no ownership check $plugin = AVideoPlugin::loadPluginIfEnabled("PayPalYPT"); $agreement = PayPalYPT::cancelAgreement($_REQUEST['agreement']); // line 26
PayPalYPT::cancelAgreement() at plugin/PayPalYPT/PayPalYPT.php:548-566 resolves the agreement ID against PayPal and calls $createdAgreement->suspend($agreementStateDescriptor, $apiContext) unconditionally, the server does not verify that the logged-in user's users_id matches the owner recorded in PayPalYPT_log (or wherever the agreement was registered):
public static function cancelAgreement($agreement_id)
{
...
$createdAgreement = self::getBillingAgreement($agreement_id);
try {
$createdAgreement->suspend($agreementStateDescriptor, $apiContext);
return Agreement::get($createdAgreement->getId(), $apiContext);
} catch (Exception $ex) {
return false;
}
}
The intended UI caller is subscriptions_list.php:84 which posts the current user's own agreement IDs, but the server accepts any agreement parameter from any logged-in user. Agreement IDs can leak via _error_log entries written in agreementCancel.json.php:34 and webhook.php during normal operation, via PayPal receipt emails, or via other administrative and payment-log screens. No CSRF token is required, but the root defect is missing authorization, not CSRF.
PoC
Log in as any low-privilege user (registered subscriber, commenter, free-tier account created via
signUp).Obtain the target's PayPal agreement ID (e.g.,
I-ABCD1234XYZ). This may come from server error logs, email receipts, admin/payment screens, or other disclosures.Send the request with the victim's agreement ID:
curl -X POST 'https://target.example/plugin/PayPalYPT/agreementCancel.json.php' \ -b 'PHPSESSID=<attacker_session>' \ -d 'agreement=I-ABCD1234XYZ'Expected response:
{"error":false,"msg":""}The victim's billing agreement is suspended at PayPal via
Agreement::suspend()(PayPalYPT.php:560). The victim stops being billed; AVideo subsequently reflects the subscription as inactive.
Impact
- Any authenticated user can silently cancel another user's active PayPal recurring billing agreement.
- Revenue disruption for the platform operator, any affected subscribers stop being billed.
- Service disruption for the victim, their paid subscription lapses.
- The defect is purely an authorization gap; the sister endpoint
PayPalAgreementCancel.json.phpdemonstrates that the owner/admin check was intentional for this action but was not applied to this duplicate.
CVE-2026-43883 has a CVSS score of 4.2 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Port the ownership check from the sister endpoint into agreementCancel.json.php:
if (!User::isAdmin() && !Subscription::isAgreementFromUser($_REQUEST['agreement'], User::getId())) {
$obj->msg = "Only the owner can cancel this agreement";
die(json_encode($obj));
}
Alternative, preferred remediation: delete the duplicate agreementCancel.json.php entirely and point the cancelAgreement() JS helper in subscriptions_list.php:84 at the already-protected PayPalAgreementCancel.json.php endpoint (sending the expected agreement_id POST field). While patching, also remove the redundant second User::isLogged() branch at line 19.
Frequently Asked Questions
- What is CVE-2026-43883? CVE-2026-43883 is a medium-severity security vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet.
- How severe is CVE-2026-43883? CVE-2026-43883 has a CVSS score of 4.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of wwbn/avideo are affected by CVE-2026-43883? wwbn/avideo (composer) versions <= 29.0 is affected.
- Is there a fix for CVE-2026-43883? No fixed version is listed for CVE-2026-43883 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-43883 exploitable, and should I be worried? Whether CVE-2026-43883 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-43883 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.