平台
wordpress
组件
ppv-live-webcams
修复版本
7.3.21
CVE-2025-8899 is a privilege escalation vulnerability affecting the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress. This flaw allows authenticated attackers with Author-level access or higher to escalate their privileges and create administrator accounts. The vulnerability impacts versions 0.0.0 through 7.3.20, and a patch is available in version 7.3.21.
The primary impact of CVE-2025-8899 is the potential for unauthorized access and control over a WordPress site. An attacker, already possessing Author or higher privileges, can leverage this vulnerability to create a registration form that, when used, grants administrator-level access to a newly created user. This effectively bypasses standard access controls and allows the attacker to perform actions they should not be authorized to do, such as modifying site content, installing malicious plugins, or accessing sensitive data. The blast radius extends to the entire WordPress site and any connected systems, as a compromised administrator account provides a gateway for further attacks.
CVE-2025-8899 was publicly disclosed on 2026-03-07. While no public proof-of-concept (PoC) code has been released as of this writing, the vulnerability's ease of exploitation makes it a potential target for automated attacks. Its addition to the CISA KEV catalog is pending. The vulnerability's reliance on existing user authentication mechanisms suggests a relatively low barrier to entry for attackers.
WordPress sites utilizing the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin, particularly those with multiple users possessing Author or higher roles, are at significant risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable, as are sites with legacy configurations that may not enforce strict user role restrictions.
• wordpress / composer / npm:
grep -r 'videowhisper_register_form' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep videowhisper• wordpress / composer / npm:
wp plugin update videowhisperdisclosure
漏洞利用状态
EPSS
0.04% (12% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-8899 is to immediately upgrade the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin to version 7.3.21 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting user roles that can create posts/pages with the registration form. While not a complete fix, this can reduce the attack surface. Review WordPress user roles and permissions to ensure the principle of least privilege is applied. After upgrading, confirm the fix by attempting to create a new user with administrator privileges through the registration form; this attempt should fail.
更新到 7.3.21 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-8899 is a vulnerability in the Paid Videochat Turnkey Site WordPress plugin allowing authenticated users with Author access to escalate privileges and create administrator accounts.
If you are using the Paid Videochat Turnkey Site plugin in versions 0.0.0 through 7.3.20, you are potentially affected by this vulnerability.
Upgrade the Paid Videochat Turnkey Site plugin to version 7.3.21 or later to resolve the privilege escalation vulnerability.
While no active exploitation has been confirmed, the ease of exploitation makes it a potential target for attackers.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。