Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook

Postiz exposes a cryptocurrency payment IPN (Instant Payment Notification) handler that fails to verify the authenticity of incoming callbacks against the payment provider's shared secret. The endpoint accepts requests authenticated only by a token signed with an internal application key, which any platform user can obtain. Compounding this, the handler reads the target subscription identifier from the untrusted request body rather than from the verified token, allowing a caller to specify an arbitrary organization as the upgrade target.

A remote attacker with a low-privileged account can therefore cause the application to persist a lifetime PRO subscription entitlement against any organization of their choosing, without any payment being made or any signal of compromise reaching the legitimate payment provider. The vulnerability primarily impacts the integrity of subscription and billing state and results in revenue loss for the operator. It does not disclose user data or affect service availability.