The Videowhisper Live Streaming Integration plugin contains a path traversal flaw that may allow an attacker to delete arbitrary files on the server. The flaw arises because the plugin does not limit user‑supplied file paths to the intended directory, permitting traversal sequences such as "..". If an attacker supplies a crafted file path, the plugin’s deletion operation could remove configuration files, logs, or other critical assets, leading to data loss or service disruption. This vulnerability is categorized as CWE‑22.

Affected systems are WordPress installations that have the Videowhisper Live Streaming Integration plugin version 6.2 or earlier, including any instance of the Broadcast Live Video plugin deployed on a server where the plugin is installed.

The CVSS score of 8.6 indicates a high severity of the vulnerability. The EPSS score of <1 % suggests that exploitation in the wild is unlikely at present. The plugin is not listed in the CISA KEV catalog. The likely attack vector is inferred to be remote via the plugin’s exposed web interface; an attacker who can send crafted HTTP requests may be able to trigger the deletion. No special hardware or software is required beyond normal web access to the WordPress site, and it is unclear from the description whether authentication is required.