Platform
wordpress
Component
ppv-live-webcams
Opgelost in
7.3.21
CVE-2025-8899 is a privilege escalation vulnerability affecting the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress. This flaw allows authenticated attackers with Author-level access or higher to escalate their privileges and create administrator accounts. The vulnerability impacts versions 0.0.0 through 7.3.20, and a patch is available in version 7.3.21.
The primary impact of CVE-2025-8899 is the potential for unauthorized access and control over a WordPress site. An attacker, already possessing Author or higher privileges, can leverage this vulnerability to create a registration form that, when used, grants administrator-level access to a newly created user. This effectively bypasses standard access controls and allows the attacker to perform actions they should not be authorized to do, such as modifying site content, installing malicious plugins, or accessing sensitive data. The blast radius extends to the entire WordPress site and any connected systems, as a compromised administrator account provides a gateway for further attacks.
CVE-2025-8899 was publicly disclosed on 2026-03-07. While no public proof-of-concept (PoC) code has been released as of this writing, the vulnerability's ease of exploitation makes it a potential target for automated attacks. Its addition to the CISA KEV catalog is pending. The vulnerability's reliance on existing user authentication mechanisms suggests a relatively low barrier to entry for attackers.
WordPress sites utilizing the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin, particularly those with multiple users possessing Author or higher roles, are at significant risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable, as are sites with legacy configurations that may not enforce strict user role restrictions.
• wordpress / composer / npm:
grep -r 'videowhisper_register_form' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep videowhisper• wordpress / composer / npm:
wp plugin update videowhisperdisclosure
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-8899 is to immediately upgrade the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin to version 7.3.21 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting user roles that can create posts/pages with the registration form. While not a complete fix, this can reduce the attack surface. Review WordPress user roles and permissions to ensure the principle of least privilege is applied. After upgrading, confirm the fix by attempting to create a new user with administrator privileges through the registration form; this attempt should fail.
Update naar versie 7.3.21, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-8899 is a vulnerability in the Paid Videochat Turnkey Site WordPress plugin allowing authenticated users with Author access to escalate privileges and create administrator accounts.
If you are using the Paid Videochat Turnkey Site plugin in versions 0.0.0 through 7.3.20, you are potentially affected by this vulnerability.
Upgrade the Paid Videochat Turnkey Site plugin to version 7.3.21 or later to resolve the privilege escalation vulnerability.
While no active exploitation has been confirmed, the ease of exploitation makes it a potential target for attackers.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.