Executive Summary
A critical unauthenticated PHP Object Injection vulnerability has been disclosed in the Broadcast Live Video WordPress plugin, affecting all versions prior to 7.1.3. Tracked as CVE-2026-27053 with a CVSS score of 9.8 (Critical), this vulnerability enables remote attackers to inject and deserialize malicious PHP objects without requiring any authentication, potentially leading to remote code execution (RCE), arbitrary file deletion, or Server-Side Request Forgery (SSRF).
CVSS Score: 9.8 (Critical)
WordPress sites running this plugin that have not yet updated to version 7.1.3 or later are at risk and should patch immediately.
Vulnerability Overview
Root Cause
PHP Object Injection occurs when user-supplied input is passed to PHP's unserialize() function without proper sanitization. An attacker can craft a malicious serialized PHP object that, when deserialized, triggers a sequence of PHP magic methods — commonly called a Property-Oriented Programming (POP) chain — ultimately achieving code execution, file manipulation, or other destructive outcomes depending on the classes available in the application's codebase.
In the case of CVE-2026-27053, the deserialization occurs in an unauthenticated context, meaning no WordPress account or credentials are needed to trigger the vulnerability.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-27053 |
| CVSS Score | 9.8 (Critical) |
| Type | PHP Object Injection (Deserialization) |
| Attack Vector | Network |
| Authentication | None required |
| Privileges Required | None |
| User Interaction | None |
| Plugin | Broadcast Live Video |
| Fixed Version | 7.1.3 |
Affected Versions and Patches
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Broadcast Live Video (WordPress plugin) | < 7.1.3 | 7.1.3+ |
The patch was released on June 15, 2026 via the WordPress plugin repository. Automatic updates are available for sites with auto-update enabled.
Technical Details
What Is PHP Object Injection?
PHP Object Injection is a class of vulnerability that arises when an application deserializes user-controlled data using PHP's native unserialize() function. The danger lies in how PHP handles object deserialization:
- Magic methods (
__wakeup(),__destruct(),__toString(), etc.) are automatically called during deserialization - If the application includes classes with dangerous magic method implementations, attackers can craft a serialized payload that chains these methods together
- The result can be arbitrary code execution, file system manipulation, or network requests — entirely dependent on available POP chain gadgets
Attack Vector
The Broadcast Live Video plugin exposes an unauthenticated endpoint that accepts serialized PHP data. By sending a crafted HTTP request containing a malicious serialized object, a remote attacker can:
1. Identify a WordPress site running Broadcast Live Video < 7.1.3
2. Craft a malicious serialized PHP payload exploiting available POP chains
3. Send the payload to the vulnerable plugin endpoint (no auth required)
4. PHP deserializes the object, triggering magic methods
5. Attacker achieves RCE, file deletion, SSRF, or data exfiltrationPotential Impact
Depending on available PHP classes and POP gadgets in the target environment, exploitation could lead to:
- Remote Code Execution (RCE) — arbitrary OS command execution on the web server
- Arbitrary File Deletion — wiping files on the host filesystem
- Server-Side Request Forgery (SSRF) — making the server perform requests to internal or external systems
- Data Exfiltration — reading sensitive files such as
wp-config.phpcontaining database credentials
Why WordPress Plugin Vulnerabilities Are High Risk
WordPress powers approximately 43% of all websites on the internet. Plugin vulnerabilities are among the most exploited attack surfaces in web security:
- Mass exploitation is trivial — automated scanners can probe millions of sites for vulnerable plugin versions within hours of disclosure
- No auth required vulnerabilities are especially dangerous as they can be exploited without any prior foothold
- High-CVSS plugin flaws are routinely weaponized within 24–72 hours of public disclosure
Sites running the affected Broadcast Live Video plugin are at risk of being swept up in automated exploitation campaigns targeting this vulnerability.
Immediate Remediation
Patch Now
- Update the Broadcast Live Video plugin to version 7.1.3 or later
- Navigate to WordPress Admin → Plugins → Updates
- Apply the update immediately
- Verify the update was applied — confirm the plugin version in the Plugins list
If Immediate Patching Is Not Possible
- Deactivate and remove the plugin until the update can be applied
- Review web server logs for unusual POST requests to plugin endpoints
- Check for indicators of compromise:
- Unexpected PHP files in the uploads directory
- New administrator accounts
- Modified core WordPress files
- Implement a Web Application Firewall (WAF) to block deserialization attack patterns
Detection
Log-Based Indicators
| Indicator | Description |
|---|---|
| Unusual POST requests to plugin endpoints | Potential exploitation attempt |
| Base64-encoded serialized data in request bodies | Malicious payload delivery |
| Unexpected outbound connections from the web server | SSRF or C2 communication |
New PHP files in wp-content/uploads/ | Potential web shell drop |
| New administrator accounts created | Post-exploitation privilege escalation |
WordPress Security Scanning
- WPScan — scan for known plugin vulnerabilities
- Wordfence — real-time firewall and malware scanner
- Sucuri SiteCheck — remote malware scanning
Key Takeaways
- CVSS 9.8 — Critical unauthenticated PHP Object Injection
- No authentication required — exploitable by any internet-accessible attacker
- Update to Broadcast Live Video 7.1.3 immediately
- Deactivate the plugin if immediate patching is not possible
- Automated mass exploitation of high-CVSS WordPress plugin flaws typically begins within hours of disclosure