Platform
wordpress
Component
videowhisper-live-streaming-integration
Fixed in
6.2.1
CVE-2025-26752 describes an Arbitrary File Access vulnerability within the Broadcast Live Video plugin for WordPress. This flaw, stemming from improper path validation, allows attackers to potentially read arbitrary files on the server. Versions of Broadcast Live Video from 0.0.0 through 6.2 are affected. A patch has been released in version 6.2.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and retrieve files from the server's file system. Successful exploitation could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. Depending on the server's configuration and the files accessible, this could lead to complete system compromise. While the description doesn't explicitly mention it, a successful file read could be a precursor to further attacks, such as remote code execution if sensitive credentials are exposed.
CVE-2025-26752 was publicly disclosed on 2025-02-25. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on CISA KEV as of this writing. Public proof-of-concept code is not widely available, but the path traversal nature of the vulnerability makes it relatively easy to exploit.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-26752 is to immediately upgrade the Broadcast Live Video plugin to version 6.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress installation to minimize the potential impact of a successful exploit. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.
Update the 'Broadcast Live Video' plugin to the latest available version to address the directory traversal vulnerability. Check for updates in the WordPress admin panel or through the WordPress plugin repository. Ensure you perform a full backup of your website before applying any updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-26752 is a HIGH severity vulnerability in Broadcast Live Video allowing attackers to read arbitrary files due to improper path validation. It affects versions 0.0.0–6.2.
Yes, if you are using Broadcast Live Video versions 0.0.0 through 6.2, you are affected by this vulnerability and should upgrade immediately.
Upgrade the Broadcast Live Video plugin to version 6.2.1 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
There is currently no evidence of active exploitation, but the ease of exploitation makes it a potential target.
Refer to the vendor's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.