Description
Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Broadcast Live Video plugin for WordPress contains an unauthenticated PHP Object Injection flaw that permits the creation of arbitrary PHP objects from user-supplied data. This weakness, classified as CWE‑502, allows an attacker to execute arbitrary code on the server, potentially gaining full control of the affected WordPress installation. The vulnerability is triggered by requests to the plugin’s public endpoint, with no authentication or additional permissions required.

Affected Systems

WordPress sites that have installed the VideoWhisper.com Broadcast Live Video plugin with a version earlier than 7.1.3 are impacted. The plugin is a standard WordPress plugin and none of the core WordPress products or other third‑party plugins are affected.

Risk and Exploitability

With a CVSS base score of 9.8 the flaw is deemed critical, indicating severe threats to confidentiality, integrity and availability. The EPSS score of less than 1% suggests that automated exploitation attempts are uncommon but still plausible, particularly in environments where the plugin endpoint remains publicly reachable. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely via crafted requests to the plugin’s API, resulting in remote code execution and potential full system compromise.

Generated by OpenCVE AI on June 17, 2026 at 23:09 UTC.

Remediation

Vendor Solution

Update the WordPress Broadcast Live Video Plugin to the latest available version (at least 7.1.3).


OpenCVE Recommended Actions

  • Update the Broadcast Live Video plugin to version 7.1.3 or newer.
  • Remove any stale plugin files from the server and restart the web server or PHP runtime to ensure the new code is loaded.
  • After upgrading, monitor the site for anomalous traffic, configure a web application firewall to block malicious object injection patterns, and consider enabling file‑integrity monitoring to detect unauthorized changes.

Generated by OpenCVE AI on June 17, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Videowhisper
Videowhisper broadcast Live Video
Wordpress
Wordpress wordpress
Vendors & Products Videowhisper
Videowhisper broadcast Live Video
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
Title WordPress Broadcast Live Video plugin < 7.1.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Videowhisper Broadcast Live Video
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T17:12:23.197Z

Reserved: 2026-02-17T13:23:30.505Z

Link: CVE-2026-27053

cve-icon Vulnrichment

Updated: 2026-06-16T14:11:10.821Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:40.640

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-27053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data