Description
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an administrator account. This can also be exploited by contributors, but is far less likely to be successful because an administrator would need to approve the form with the administrator role for the attack to be successful.
Published: 2026-03-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to create administrator accounts
Action: Immediate Patch
AI Analysis

Impact

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress has a flaw that allows an authenticated user with Author or higher privileges to set a registration form’s target role to administrator. By creating such a form and then registering through it, the attacker can spawn an account with administrative rights. The vulnerability stems from unchecked role assignment in the videowhisper_register_form() function, representing an improper privilege management weakness (CWE‑269).

Affected Systems

Any WordPress site running the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin version 7.3.20 or earlier is susceptible. Sites should verify the plugin version and update to a newer release if available. The vendor, videowhisper, offers the plugin under the name Paid Videochat Turnkey Site – HTML5 PPV Live Webcams.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not currently listed in CISA's KEV catalog. Exploitation requires an account with Author or higher privileges, and the attacker must successfully configure a form that assigns the administrator role before using it to register. Once the form is deployed, the attacker can create an administrator account without further privileges. The attack vector is likely remote via the WordPress back‑end, and the attacker must have prior authenticated access to create forms.

Generated by OpenCVE AI on April 20, 2026 at 18:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin to the latest version that removes the unchecked role assignment bug
  • If an upgrade is not yet available, disable or remove the ability in the plugin to set the registration role to Administrator, ensuring only non‑privileged roles can be chosen
  • Monitor for any new administrator accounts or suspicious role changes in WordPress, and revoke any accounts created without proper approval

Generated by OpenCVE AI on April 20, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Videowhisper
Videowhisper paid Videochat Turnkey Site – Html5 Ppv Live Webcams
Wordpress
Wordpress wordpress
Vendors & Products Videowhisper
Videowhisper paid Videochat Turnkey Site – Html5 Ppv Live Webcams
Wordpress
Wordpress wordpress

Sat, 07 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an administrator account. This can also be exploited by contributors, but is far less likely to be successful because an administrator would need to approve the form with the administrator role for the attack to be successful.
Title Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 - Authenticated (Author+) Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Videowhisper Paid Videochat Turnkey Site – Html5 Ppv Live Webcams
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:43.206Z

Reserved: 2025-08-12T18:10:56.467Z

Link: CVE-2025-8899

cve-icon Vulnrichment

Updated: 2026-03-09T19:07:35.312Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-07T06:16:09.350

Modified: 2026-03-09T13:35:34.633

Link: CVE-2025-8899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:00:10Z

Weaknesses