Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-57331: Critical Arbitrary File Deletion in Paid Videochat Turnkey Site
CVE-2026-57331: Critical Arbitrary File Deletion in Paid Videochat Turnkey Site

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-57331

CVE-2026-57331: Critical Arbitrary File Deletion in Paid Videochat Turnkey Site

A CVSS 9.9 critical vulnerability in the Paid Videochat Turnkey Site WordPress plugin allows authenticated performer-role users to delete arbitrary files...

Dylan H.

Security Team

June 30, 2026
4 min read

Affected Products

  • Paid Videochat Turnkey Site (ppv-live-webcams) <= 7.4.8

Executive Summary

A CVSS 9.9 critical path traversal vulnerability has been disclosed in the Paid Videochat Turnkey Site WordPress plugin (slug: ppv-live-webcams) by VideoWhisper.com. Tracked as CVE-2026-57331, the flaw allows any authenticated user holding a low-privilege Performer account to delete arbitrary files anywhere on the WordPress host filesystem — including core WordPress files, configuration files, and database credentials.

Exploitation requires no special conditions beyond a Performer-level account, which is a standard role within the plugin's own user system. Given the low-privilege bar and zero required user interaction, this vulnerability is considered a candidate for mass-campaign exploitation.


Vulnerability Details

FieldValue
CVE IDCVE-2026-57331
CVSS 3.1 Score9.9 Critical
CVSS VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWECWE-22 — Path Traversal
Affected PluginPaid Videochat Turnkey Site (ppv-live-webcams)
Affected Versions<= 7.4.8
Fixed Version7.4.9
Researcherendy
DisclosedJune 29, 2026
VendorVideoWhisper.com

Technical Analysis

Root Cause

The plugin fails to properly sanitize or restrict file path inputs provided by authenticated performer-level users. An attacker can supply path traversal sequences (../) to the plugin's file management endpoint, causing the server to resolve a path outside the intended directory and delete the targeted file.

This is a classic broken access control failure (OWASP A1), where the application trusts user-supplied input to determine which files to operate on without enforcing a strict path-restriction boundary.

Attack Vector

1. Attacker registers or compromises a Performer account on the target WordPress site
2. Attacker submits a crafted file path containing traversal sequences to the plugin endpoint
   e.g., ../../wp-config.php  or  ../../../etc/passwd
3. Plugin passes the unsanitized path directly to a file deletion function
4. Arbitrary file is deleted from the server filesystem

CVSS Score Breakdown

The near-maximum CVSS score reflects several compounding factors:

  • Network (AV:N) — Fully remote exploitation, no physical or local access needed
  • Low Complexity (AC:L) — No race conditions or special configuration required
  • Low Privilege (PR:L) — Only a Performer account (plugin's own role, easily registered) needed
  • No User Interaction (UI:N) — The attacker acts unilaterally
  • Changed Scope (S:C) — Exploit impacts resources beyond the vulnerable plugin (entire filesystem)
  • High Confidentiality/Integrity/Availability (C:H/I:H/A:H) — Deletion of wp-config.php or core files destroys site availability and may expose database credentials

Impact

Successful exploitation can result in:

  • Complete site destruction — Deleting wp-config.php or core WordPress PHP files immediately breaks the site
  • Credential exposure — Destroying or revealing wp-config.php can expose database usernames and passwords
  • Privilege escalation pathway — In combination with other weaknesses, file deletion can be used to remove security controls or force reinstallation with attacker-controlled credentials
  • Data destruction — Targeting plugin data files, upload directories, or log files to cover tracks or cause operational damage

Affected Environments

WordPress sites running the Paid Videochat Turnkey Site plugin version 7.4.8 or earlier are vulnerable. This plugin is marketed toward live-streaming and adult content monetization platforms, where Performer accounts are a standard feature — meaning the attack surface is inherently broad on any site using the plugin's performer role system.


Mitigation

Immediate Action (Required)

Update to version 7.4.9 immediately. This is a critical-severity patch with no viable workaround for unpatched installations.

  1. Navigate to WordPress Admin → Plugins → Installed Plugins
  2. Find Paid Videochat Turnkey Site
  3. Apply the available update to version 7.4.9
  4. Verify the update installed successfully

Interim Controls (If Patching Is Delayed)

  • Restrict performer registrations — Temporarily disable new Performer account creation until patched
  • Audit existing performer accounts — Review and remove any unrecognized or suspicious performer accounts
  • Virtual patching — Patchstack offers a firewall rule that blocks exploitation attempts against this CVE for subscribers
  • Web Application Firewall (WAF) — Deploy rules blocking path traversal patterns (../, %2e%2e%2f, URL-encoded variants) on the affected endpoint

Post-Patch Verification

After patching, verify no unauthorized file deletions occurred during your exposure window. Check for:

  • Missing wp-config.php or core WordPress files
  • Unexpected error logs around plugin file management endpoints
  • Unauthorized performer account registrations in your user list

References

  • NVD — CVE-2026-57331
  • Patchstack — CVE-2026-57331 Advisory
  • VideoWhisper.com Plugin Page
  • OWASP — Path Traversal
#CVE-2026-57331#WordPress#Path Traversal#Arbitrary File Deletion#Critical#NVD

Related Articles

CVE-2026-9725: Critical WordPress WooCommerce Plugin File Deletion

A CVSS 9.1 critical unauthenticated arbitrary file deletion vulnerability in the Printcart Web to Print Product Designer for WooCommerce plugin affects...

4 min read

CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)

A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...

3 min read

CVE-2026-54414: FileRise Path Traversal Enables Arbitrary File Write and Admin Takeover

A critical path traversal vulnerability in FileRise before 3.16.0 allows unauthenticated attackers to write arbitrary files and completely compromise...

5 min read
Back to all Security Alerts