GHSA-wprj-9cvc-5w37: AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records

March 29, 2026

Multiple payment plugin list.json.php endpoints lack authentication and authorization checks, allowing unauthenticated attackers to retrieve all payment transaction records including PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads with transaction details, and Bitcoin payment records. This is the same class of vulnerability fixed in the Scheduler plugin (GHSA-j724-5c6c-68g5 / commit 83390ab1f) but the fix was not applied to the remaining 21 affected endpoints.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/1729a955f8de7e26552eb728b3d1e6f4b1b9352e
github.com/WWBN/AVideo/security/advisories/GHSA-wprj-9cvc-5w37
github.com/advisories/GHSA-j724-5c6c-68g5
github.com/advisories/GHSA-wprj-9cvc-5w37

Code Behaviors & Features

Detect and mitigate GHSA-wprj-9cvc-5w37 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →