Impact
The Broadcast Live Video plugin for WordPress contains an unauthenticated PHP Object Injection flaw that permits the creation of arbitrary PHP objects from user-supplied data. This weakness, classified as CWE‑502, allows an attacker to execute arbitrary code on the server, potentially gaining full control of the affected WordPress installation. The vulnerability is triggered by requests to the plugin’s public endpoint, with no authentication or additional permissions required.
Affected Systems
WordPress sites that have installed the VideoWhisper.com Broadcast Live Video plugin with a version earlier than 7.1.3 are impacted. The plugin is a standard WordPress plugin and none of the core WordPress products or other third‑party plugins are affected.
Risk and Exploitability
With a CVSS base score of 9.8 the flaw is deemed critical, indicating severe threats to confidentiality, integrity and availability. The EPSS score of less than 1% suggests that automated exploitation attempts are uncommon but still plausible, particularly in environments where the plugin endpoint remains publicly reachable. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely via crafted requests to the plugin’s API, resulting in remote code execution and potential full system compromise.
OpenCVE Enrichment