4 matches found
EUVD-2026-17650
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints...
CVE-2026-34732
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php...
CVE-2026-34732
WWBN AVideo CVE-2026-34732 affects the CreatePlugin list.json.php template (versions ≤26.0). The template ships without authentication/authorization checks, while add.json.php and delete.json.php require admin privileges. This omission creates 21 unauthenticated data-listing endpoints across the ...
AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records
Summary Multiple payment plugin list.json.php endpoints lack authentication and authorization checks, allowing unauthenticated attackers to retrieve all payment transaction records including PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads with transaction...