Attack Vectors
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams (WordPress plugin slug: ppv-live-webcams) has a High-severity privilege escalation vulnerability (CVSS 8.8, CVE: CVE-2025-8899) affecting versions up to and including 7.3.20.
The reported attack path is business-realistic: an authenticated user with Author-level access or higher can publish a post or page that includes the plugin’s registration form, set the registration role to administrator, and then use that form to create a new admin account.
While it may be possible for lower roles (such as contributors) to exploit under certain conditions, the primary risk is strongest when your site grants content publishing capabilities to non-admin staff, agencies, contractors, or partners.
Security Weakness
The vulnerability is caused by the plugin’s videowhisper_register_form() function not restricting which user roles can be set during registration. In plain business terms: the registration workflow can be misused to assign an overly powerful role.
This creates a permission gap where a trusted-but-limited user (for example, an author who can publish content) can indirectly trigger the creation of an administrator account, bypassing normal governance and approval processes for privileged access.
Technical or Business Impacts
If exploited, the attacker can gain administrator control, which typically means full site takeover. From a business-risk perspective, this can lead to website defacement, unauthorized changes to pricing or conversion pages, and disruption of marketing campaigns and lead generation.
With administrator access, attackers may be able to access sensitive data stored in WordPress (such as customer or member information, order details, or internal content), potentially triggering compliance and notification obligations depending on your industry and data footprint.
Operationally, recovery can involve downtime, incident response costs, reputational impact, and increased scrutiny from customers and regulators—especially if the site supports paid videochat workflows, memberships, or other revenue-generating services.
Recommended remediation: update Paid Videochat Turnkey Site – HTML5 PPV Live Webcams to version 7.3.21 or newer (patched). Source: Wordfence vulnerability advisory.
Similar Attacks
Privilege escalation and unauthorized admin creation are recurring themes in WordPress incidents because they convert a “limited” foothold into full control. Here are a few real examples of WordPress-related vulnerabilities and campaigns that demonstrate the broader pattern of attackers targeting popular plugins and site access:
CVE-2024-27956 (WP Automatic) – Arbitrary file download / sensitive data exposure risk
Wordfence: Essential Addons for Elementor (2023) – widely exploited plugin vulnerability example
Wordfence: large-scale WordPress credential compromise campaign
Recent Comments