Plattform
wordpress
Komponente
videowhisper-live-streaming-integration
Behoben in
6.2.1
CVE-2025-26752 describes an Arbitrary File Access vulnerability within the Broadcast Live Video plugin for WordPress. This flaw, stemming from improper path validation, allows attackers to potentially read arbitrary files on the server. Versions of Broadcast Live Video from 0.0.0 through 6.2 are affected. A patch has been released in version 6.2.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access restrictions and read files that they should not be able to access. Successful exploitation could lead to the exposure of sensitive information such as configuration files, database credentials, or even source code. This could provide attackers with a deeper understanding of the application's architecture and potentially lead to further exploitation. While the description doesn't detail specific attack vectors beyond path traversal, the potential for data exfiltration and system compromise is significant. The ability to read arbitrary files could also be leveraged to identify other vulnerabilities or gain a foothold for persistent access.
CVE-2025-26752 was publicly disclosed on 2025-02-25. There is no indication of active exploitation campaigns or a KEV listing at the time of this writing. Public proof-of-concept exploits are not currently known, but the path traversal nature of the vulnerability makes it likely that such exploits will emerge. The CVSS score of 8.6 (HIGH) indicates a significant potential for exploitation.
WordPress websites utilizing the Broadcast Live Video plugin, particularly those running older versions (0.0.0–6.2), are at significant risk. Shared hosting environments where users have limited control over plugin updates are also particularly vulnerable. Sites with sensitive data stored on the server are at higher risk of data compromise.
• wordpress / composer / npm:
grep -r "../" /var/www/html/videowhisper-live-streaming-integration/*• generic web:
curl -I 'http://your-wordpress-site.com/videowhisper-live-streaming-integration/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.19% (41% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-26752 is to immediately upgrade the Broadcast Live Video plugin to version 6.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing a Web Application Firewall (WAF) with rules to block path traversal attempts (e.g., filtering requests containing '../' sequences), and carefully reviewing file upload and processing logic within the plugin. Monitor server logs for suspicious file access attempts. After upgrading, confirm the fix by attempting to access a sensitive file via a path traversal URL; access should be denied.
Actualice el plugin 'Broadcast Live Video' a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones disponibles en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-26752 is a HIGH severity vulnerability in Broadcast Live Video allowing attackers to read arbitrary files due to improper path validation. It affects versions 0.0.0–6.2.
Yes, if you are using Broadcast Live Video versions 0.0.0 through 6.2, you are affected by this vulnerability and should upgrade immediately.
Upgrade the Broadcast Live Video plugin to version 6.2.1 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
There is currently no evidence of active exploitation, but the ease of exploitation makes it a potential target.
Refer to the vendor's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.