Platform
wordpress
Component
videowhisper-live-streaming-integration
Fixed in
6.2.1
CVE-2025-26753 describes an Arbitrary File Access vulnerability within the Broadcast Live Video plugin for WordPress. This flaw, stemming from improper limitation of pathnames, allows attackers to potentially access sensitive files on the server. Versions of Broadcast Live Video from 0.0.0 up to and including 6.2 are affected. A patch has been released in version 6.2.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and retrieve files from the server's file system. This could include configuration files containing database credentials, source code, or other sensitive data. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the underlying server. While the description doesn't explicitly mention it, the ability to read arbitrary files could be a stepping stone to further attacks, such as code execution if the attacker can identify and leverage exploitable files.
CVE-2025-26753 was publicly disclosed on 2025-02-25. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the path traversal nature of the vulnerability makes it likely that such code will emerge. The vulnerability's relatively simple nature suggests a moderate risk of exploitation.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-26753 is to immediately upgrade the Broadcast Live Video plugin to version 6.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress installation to minimize the impact of a potential breach. After upgrading, confirm the vulnerability is resolved by attempting to access a non-public file via a crafted URL; access should be denied.
Actualice el plugin 'Broadcast Live Video' a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-26753 is a HIGH severity vulnerability allowing attackers to access files on a WordPress server through the Broadcast Live Video plugin. It affects versions 0.0.0–6.2 and has a CVSS score of 7.5.
If you are using Broadcast Live Video versions 0.0.0 through 6.2 on your WordPress site, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade the Broadcast Live Video plugin to version 6.2.1 or later to resolve this Arbitrary File Access vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
As of now, there is no confirmed evidence of active exploitation, but the vulnerability's nature makes it a potential target. Monitor your systems closely.
Refer to the vendor's official website or WordPress plugin repository for the latest advisory and release notes regarding CVE-2025-26753.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.