Impact
The vulnerability allows an attacker to delete arbitrary files via the WordPress Paid Videochat Turnkey Site plugin. It stems from improper validation of file paths and is identified as CWE‑22. An attacker who exploits this flaw can remove essential configuration or content files, leading to data loss, service disruption, and possible further compromise if other weaknesses exist.
Affected Systems
The affected product is Videowhispers’ Paid Videochat Turnkey Site plugin, versions up to and including 7.4.8. No more granular version data is provided in the source information.
Risk and Exploitability
The CVSS score of 9.9 classifies this as a critical vulnerability with very high impact. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the likely attack vector is remote via the web interface, and privileged access or an elevated user role may be required to trigger the deletion operation.
OpenCVE Enrichment