Impact
Unrestricted deserialization of user-supplied input is present in versions of the Paid Videochat Turnkey Site Plugin up to 7.3.23, allowing attackers to craft serialized payloads that result in arbitrary code execution within the WordPress environment. This weakness is classified as CWE-502, and the lack of authentication on the vulnerable endpoints means the flaw can be triggered by any party that can reach the plugin’s interface. The consequence is the potential compromise of the entire WordPress site, including data integrity and confidentiality.
Affected Systems
The affected product is VideoWhisper.com’s Paid Videochat Turnkey Site WordPress plugin, version 7.3.23 and earlier. Users running these versions of the plugin are vulnerable.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests a low current exploitation rate. The vulnerability is not listed in the CISA KEV catalog, but attackers could still exploit it by sending crafted serialized data to the plugin’s unauthenticated endpoints. Because the flaw allows arbitrary code execution, the risk to a site that hosts the vulnerable plugin is substantial despite the low public exploitation probability.
OpenCVE Enrichment