Executive Summary
A CVSS 9.9 critical path traversal vulnerability has been disclosed in the Paid Videochat Turnkey Site WordPress plugin (slug: ppv-live-webcams) by VideoWhisper.com. Tracked as CVE-2026-57331, the flaw allows any authenticated user holding a low-privilege Performer account to delete arbitrary files anywhere on the WordPress host filesystem — including core WordPress files, configuration files, and database credentials.
Exploitation requires no special conditions beyond a Performer-level account, which is a standard role within the plugin's own user system. Given the low-privilege bar and zero required user interaction, this vulnerability is considered a candidate for mass-campaign exploitation.
Vulnerability Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-57331 |
| CVSS 3.1 Score | 9.9 Critical |
| CVSS Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-22 — Path Traversal |
| Affected Plugin | Paid Videochat Turnkey Site (ppv-live-webcams) |
| Affected Versions | <= 7.4.8 |
| Fixed Version | 7.4.9 |
| Researcher | endy |
| Disclosed | June 29, 2026 |
| Vendor | VideoWhisper.com |
Technical Analysis
Root Cause
The plugin fails to properly sanitize or restrict file path inputs provided by authenticated performer-level users. An attacker can supply path traversal sequences (../) to the plugin's file management endpoint, causing the server to resolve a path outside the intended directory and delete the targeted file.
This is a classic broken access control failure (OWASP A1), where the application trusts user-supplied input to determine which files to operate on without enforcing a strict path-restriction boundary.
Attack Vector
1. Attacker registers or compromises a Performer account on the target WordPress site
2. Attacker submits a crafted file path containing traversal sequences to the plugin endpoint
e.g., ../../wp-config.php or ../../../etc/passwd
3. Plugin passes the unsanitized path directly to a file deletion function
4. Arbitrary file is deleted from the server filesystem
CVSS Score Breakdown
The near-maximum CVSS score reflects several compounding factors:
- Network (AV:N) — Fully remote exploitation, no physical or local access needed
- Low Complexity (AC:L) — No race conditions or special configuration required
- Low Privilege (PR:L) — Only a Performer account (plugin's own role, easily registered) needed
- No User Interaction (UI:N) — The attacker acts unilaterally
- Changed Scope (S:C) — Exploit impacts resources beyond the vulnerable plugin (entire filesystem)
- High Confidentiality/Integrity/Availability (C:H/I:H/A:H) — Deletion of
wp-config.phpor core files destroys site availability and may expose database credentials
Impact
Successful exploitation can result in:
- Complete site destruction — Deleting
wp-config.phpor core WordPress PHP files immediately breaks the site - Credential exposure — Destroying or revealing
wp-config.phpcan expose database usernames and passwords - Privilege escalation pathway — In combination with other weaknesses, file deletion can be used to remove security controls or force reinstallation with attacker-controlled credentials
- Data destruction — Targeting plugin data files, upload directories, or log files to cover tracks or cause operational damage
Affected Environments
WordPress sites running the Paid Videochat Turnkey Site plugin version 7.4.8 or earlier are vulnerable. This plugin is marketed toward live-streaming and adult content monetization platforms, where Performer accounts are a standard feature — meaning the attack surface is inherently broad on any site using the plugin's performer role system.
Mitigation
Immediate Action (Required)
Update to version 7.4.9 immediately. This is a critical-severity patch with no viable workaround for unpatched installations.
- Navigate to WordPress Admin → Plugins → Installed Plugins
- Find Paid Videochat Turnkey Site
- Apply the available update to version 7.4.9
- Verify the update installed successfully
Interim Controls (If Patching Is Delayed)
- Restrict performer registrations — Temporarily disable new Performer account creation until patched
- Audit existing performer accounts — Review and remove any unrecognized or suspicious performer accounts
- Virtual patching — Patchstack offers a firewall rule that blocks exploitation attempts against this CVE for subscribers
- Web Application Firewall (WAF) — Deploy rules blocking path traversal patterns (
../,%2e%2e%2f, URL-encoded variants) on the affected endpoint
Post-Patch Verification
After patching, verify no unauthorized file deletions occurred during your exposure window. Check for:
- Missing
wp-config.phpor core WordPress files - Unexpected error logs around plugin file management endpoints
- Unauthorized performer account registrations in your user list