Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 - Élévation de privilèges authentifiée (Author+)
Plateforme
wordpress
Composant
ppv-live-webcams
Corrigé dans
7.3.21
CVE-2025-8899 is a privilege escalation vulnerability affecting the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress. This flaw allows authenticated attackers with Author-level access or higher to escalate their privileges and create administrator accounts. The vulnerability impacts versions 0.0.0 through 7.3.20, and a patch is available in version 7.3.21.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2025-8899 is the potential for unauthorized access and control over a WordPress site. An attacker, already possessing Author or higher privileges, can leverage this vulnerability to create a registration form that, when used, grants administrator-level access to a newly created user. This effectively bypasses standard access controls and allows the attacker to perform actions they should not be authorized to do, such as modifying site content, installing malicious plugins, or accessing sensitive data. The blast radius extends to the entire WordPress site and any connected systems, as a compromised administrator account provides a gateway for further attacks.
Contexte d'Exploitationtraduction en cours…
CVE-2025-8899 was publicly disclosed on 2026-03-07. While no public proof-of-concept (PoC) code has been released as of this writing, the vulnerability's ease of exploitation makes it a potential target for automated attacks. Its addition to the CISA KEV catalog is pending. The vulnerability's reliance on existing user authentication mechanisms suggests a relatively low barrier to entry for attackers.
Qui Est à Risquetraduction en cours…
WordPress sites utilizing the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin, particularly those with multiple users possessing Author or higher roles, are at significant risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable, as are sites with legacy configurations that may not enforce strict user role restrictions.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r 'videowhisper_register_form' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep videowhisper• wordpress / composer / npm:
wp plugin update videowhisperChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.04% (percentile 12%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Informations sur le paquet
- Installations actives
- 30
- Note du plugin
- 4.2
- Nécessite WordPress
- 5.1+
- Compatible jusqu'à
- 6.9.4
- Nécessite PHP
- 7.4+
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-8899 is to immediately upgrade the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin to version 7.3.21 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting user roles that can create posts/pages with the registration form. While not a complete fix, this can reduce the attack surface. Review WordPress user roles and permissions to ensure the principle of least privilege is applied. After upgrading, confirm the fix by attempting to create a new user with administrator privileges through the registration form; this attempt should fail.
Comment corriger
Mettre à jour vers la version 7.3.21, ou une version corrigée plus récente
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-8899 — Privilege Escalation in Paid Videochat Turnkey Site?
CVE-2025-8899 is a vulnerability in the Paid Videochat Turnkey Site WordPress plugin allowing authenticated users with Author access to escalate privileges and create administrator accounts.
Am I affected by CVE-2025-8899 in Paid Videochat Turnkey Site?
If you are using the Paid Videochat Turnkey Site plugin in versions 0.0.0 through 7.3.20, you are potentially affected by this vulnerability.
How do I fix CVE-2025-8899 in Paid Videochat Turnkey Site?
Upgrade the Paid Videochat Turnkey Site plugin to version 7.3.21 or later to resolve the privilege escalation vulnerability.
Is CVE-2025-8899 being actively exploited?
While no active exploitation has been confirmed, the ease of exploitation makes it a potential target for attackers.
Where can I find the official Paid Videochat Turnkey Site advisory for CVE-2025-8899?
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.