CVE-2026-43883: AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements

May 5, 2026

plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user’s PayPal billing agreement ID can silently suspend the victim’s recurring subscription, causing revenue loss to the platform and loss of paid service to the victim.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2
github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj
github.com/advisories/GHSA-958h-qp3x-q4gj
nvd.nist.gov/vuln/detail/CVE-2026-43883

Code Behaviors & Features

Detect and mitigate CVE-2026-43883 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →