Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 - Authenticated (Author+) Privilege Escalation
Platform
wordpress
Component
ppv-live-webcams
Opgelost in
7.3.21
CVE-2025-8899 is a privilege escalation vulnerability affecting the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress. This flaw allows authenticated attackers with Author-level access or higher to escalate their privileges and create administrator accounts. The vulnerability impacts versions 0.0.0 through 7.3.20, and a patch is available in version 7.3.21.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The primary impact of CVE-2025-8899 is the potential for unauthorized access and control over a WordPress site. An attacker, already possessing Author or higher privileges, can leverage this vulnerability to create a registration form that, when used, grants administrator-level access to a newly created user. This effectively bypasses standard access controls and allows the attacker to perform actions they should not be authorized to do, such as modifying site content, installing malicious plugins, or accessing sensitive data. The blast radius extends to the entire WordPress site and any connected systems, as a compromised administrator account provides a gateway for further attacks.
Uitbuitingscontextwordt vertaald…
CVE-2025-8899 was publicly disclosed on 2026-03-07. While no public proof-of-concept (PoC) code has been released as of this writing, the vulnerability's ease of exploitation makes it a potential target for automated attacks. Its addition to the CISA KEV catalog is pending. The vulnerability's reliance on existing user authentication mechanisms suggests a relatively low barrier to entry for attackers.
Wie Loopt Risicowordt vertaald…
WordPress sites utilizing the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin, particularly those with multiple users possessing Author or higher roles, are at significant risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable, as are sites with legacy configurations that may not enforce strict user role restrictions.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r 'videowhisper_register_form' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep videowhisper• wordpress / composer / npm:
wp plugin update videowhisperAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 30
- Plugin-beoordeling
- 4.2
- Vereist WordPress
- 5.1+
- Compatibel tot
- 6.9.4
- Vereist PHP
- 7.4+
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-8899 is to immediately upgrade the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin to version 7.3.21 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting user roles that can create posts/pages with the registration form. While not a complete fix, this can reduce the attack surface. Review WordPress user roles and permissions to ensure the principle of least privilege is applied. After upgrading, confirm the fix by attempting to create a new user with administrator privileges through the registration form; this attempt should fail.
Hoe te verhelpen
Update naar versie 7.3.21, of een nieuwere gepatchte versie
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-8899 — Privilege Escalation in Paid Videochat Turnkey Site?
CVE-2025-8899 is a vulnerability in the Paid Videochat Turnkey Site WordPress plugin allowing authenticated users with Author access to escalate privileges and create administrator accounts.
Am I affected by CVE-2025-8899 in Paid Videochat Turnkey Site?
If you are using the Paid Videochat Turnkey Site plugin in versions 0.0.0 through 7.3.20, you are potentially affected by this vulnerability.
How do I fix CVE-2025-8899 in Paid Videochat Turnkey Site?
Upgrade the Paid Videochat Turnkey Site plugin to version 7.3.21 or later to resolve the privilege escalation vulnerability.
Is CVE-2025-8899 being actively exploited?
While no active exploitation has been confirmed, the ease of exploitation makes it a potential target for attackers.
Where can I find the official Paid Videochat Turnkey Site advisory for CVE-2025-8899?
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.