Subscription price manipulation in Wt.Social


WT:Social, also known as WikiTribune Social, is an American micro-blogging and social networking service on which users contribute to “subwikis.” It was founded in October 2019 by Wikipedia co-founder Jimmy Wales as an alternative to Facebook and Twitter.The service contains no advertisements, and runs off of donations. As of mid-November 2019, it claimed over 200,000 users, for more details see

The finding

While conducting testing on Wt.Social, I identified a feature labeled ‘subscription’ that allows users to contribute to the platform’s ongoing efforts through monthly or yearly plans (12.99$/Month and 100.00$/Year). During my examination, I discovered a potential vulnerability – the ability to manipulate the subscription price to any amount, including as low as 0.01$ cent. This could pose a concern for the platform’s revenue model and financial integrity, warranting further investigation and remediation.

Reproduction Steps

  • Navigate to
  • Choose a subscription period (12.99$/Month or 100.00$/Year) – either option works.
  • Intercept the process using BurpSuite and click on ‘Pay by PayPal.’
  • Observe the ‘GET’ request generated, resembling the following:
GET /api/dopaypalactions?data={"action":"pay","payment":{"id":28,"name":"Monthly_1","amount":"100.00","currency":"USD","country":"USA","email":"","fname":"","lname":""}} HTTP/1.1
  • Modify the ‘amount’ value to your desired amount, e.g., 0.01, and forward the request to the server.
  • You will be redirected to the PayPal page, where you can successfully complete the payment for the adjusted amount of 0.01$.


It is crucial to implement server-side price verification.


Sarmad | 27 Nov 2019

Initial Report

WT.Social | 30 Nov 2019

Report Triaged

WT.Social | 09 Dec 2019

Fixed By WT

Sarmad | 11 Dec 2019

Fix Confirmed