CVE-2025-8899
Privilege Escalation in Paid Videochat WordPress Plugin
Publication date: 2026-03-07
Last updated on: 2026-03-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| videowhisper | ppv-live-webcams | 7.3.20 |
| videowhisper | ppv-live-webcams | to 7.3.20 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Paid Videochat Turnkey Site β HTML5 PPV Live Webcams WordPress plugin (up to version 7.3.20) is a privilege escalation issue caused by improper handling of user roles during registration.
Specifically, the function videowhisper_register_form() does not properly restrict which user roles can be assigned when a new user registers. Authenticated attackers with Author-level access or higher can create posts or pages containing a registration form that assigns the administrator role to new users, effectively allowing them to create administrator accounts.
The root cause is that the plugin attempts to validate requested roles against a whitelist but allows dynamic creation of roles with minimal capabilities if the role does not exist, which can be exploited to bypass restrictions and assign unauthorized roles.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers with relatively low privileges (Author-level or Contributor-level users) to escalate their privileges to administrator level.
By creating administrator accounts through the registration form exploit, attackers can gain full control over the WordPress site, including the ability to modify content, install malicious plugins or themes, access sensitive data, and disrupt site operations.
Such unauthorized access compromises the security and integrity of the website, potentially leading to data breaches, defacement, or further exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress site is running the ppv-live-webcams plugin version 7.3.20 or earlier, and verifying if unauthorized user roles have been created or if users have been registered with elevated privileges via the registration form.
You can inspect the WordPress user roles and users to identify any suspicious or unauthorized administrator accounts created through the registration form.
- Use WP-CLI to list all users and their roles: wp user list --role=administrator
- Check for recently created administrator users: wp user list --role=administrator --field=ID,display_name,user_registered
- Review the plugin version installed: wp plugin status ppv-live-webcams
- Search the WordPress database for any dynamically created roles that are not standard, by querying the wp_options table or wp_usermeta for unusual role names.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the ppv-live-webcams plugin to a version later than 7.3.20 where the vulnerability is fixed.
If an update is not immediately possible, restrict user registration capabilities to trusted roles only and disable public registration forms that allow role assignment.
Audit existing user accounts for unauthorized administrator or elevated roles and remove or downgrade suspicious accounts.
Implement additional access controls and monitoring on user registration processes to detect and prevent privilege escalation attempts.