CVE-2026-57331
Received Received - Intake

Paid Videochat Turnkey File Deletion Flaw

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: Patchstack

Description
Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-57331
EUVD
EUVD-2026-40102

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack paid_videochat_turnkey_site_plugin to 7.4.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

Exploitation of this vulnerability can lead to deletion of important files on your website, which may cause the site to malfunction or break entirely.

This can result in loss of data, downtime, and potentially compromise the availability and integrity of your website.

Executive Summary

CVE-2026-57331 is an Arbitrary File Deletion vulnerability found in the WordPress Paid Videochat Turnkey Site Plugin versions 7.4.8 and earlier.

This flaw allows an attacker with limited privileges to delete critical files from a website using the vulnerable plugin.

The vulnerability is categorized under Broken Access Control in the OWASP Top 10 and has a very high severity score of 9.9.

Detection Guidance

This vulnerability affects the WordPress Paid Videochat Turnkey Site Plugin versions 7.4.8 and earlier, allowing arbitrary file deletion. Detection involves verifying the plugin version installed on your WordPress site.

You can check the plugin version via the WordPress admin dashboard or by running commands on your server to inspect the plugin files.

  • Use WP-CLI to check the plugin version: wp plugin list | grep ppv-live-webcams
  • Manually check the plugin version in the plugin's main PHP file, usually located at wp-content/plugins/ppv-live-webcams/, by viewing the version header.

Additionally, monitor your web server logs for suspicious file deletion attempts or unexpected errors indicating missing files, which could be signs of exploitation.

Mitigation Strategies

The primary immediate mitigation step is to update the Paid Videochat Turnkey Site Plugin to version 7.4.9 or later, where the vulnerability has been patched.

If updating is not immediately possible, you should seek assistance from your hosting provider or a web developer to apply temporary protections.

Patchstack offers a mitigation rule that can temporarily block attacks exploiting this vulnerability until the plugin is updated.

Compliance Impact

The vulnerability allows an attacker to delete critical files from a website, which could lead to site malfunction or complete breakdown. Such unauthorized file deletion represents a serious security breach related to Broken Access Control.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the high severity and potential impact on data integrity and availability could imply risks to compliance, especially where data protection and system availability are mandated.

Organizations using the affected plugin should promptly update to the patched version to mitigate risks that could affect regulatory compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57331. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart