php · wwbn/avideoCritical
wwbn/avideo Authorize.Net webhook signature verification bypass
The Authorize.Net webhook handler at plugin/AuthorizeNet/webhook.php has a signature verification bypass that allows attackers to forge webhook requests with ar
What changed
The Authorize.Net webhook handler at plugin/AuthorizeNet/webhook.php has a signature verification bypass that allows attackers to forge webhook requests with arbitrary payment amounts and target user IDs.
Who it affects
All AVideo instances using the Authorize.Net payment plugin.
What to do today
Apply the recommended fixes: reject webhooks with invalid signatures unconditionally, use API-fetched values as authoritative, and check isApproved before processing payment.
The trail
Collected→
Audited→
Written→
Published