How to fix CVE-2025-8899?

Within 24 hours: Audit all user accounts for unauthorized privilege escalation and review recent user registrations for suspicious activity. Within 7 days: Implement WAF rules blocking the videowhisper_register_form function or disable the plugin entirely if not business-critical. Within 30 days: Replace with an alternative solution or contact the vendor for an estimated patch timeline and evaluate alternative plugins with similar functionality.

Is PHP affected by CVE-2025-8899?

A privilege escalation vulnerability in the Paid Videochat WordPress plugin allows authenticated users with basic access to elevate themselves to administrator status, potentially compromising site integrity and data security.

CVE-2025-8899

HIGH

2026-03-07 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Mar 07, 2026 - 06:16 nvd

HIGH 8.8

Description

The Paid Videochat Turnkey Site - HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an administrator account. This can also be exploited by contributors, but is far less likely to be successful because an administrator would need to approve the form with the administrator role for the attack to be successful.

Analysis

Technical Context

This vulnerability (CWE-269: Improper Privilege Management) affects HTML5 PPV Live Webcam. The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an admi

Affected Products

Product: HTML5 PPV Live Webcam. Versions: up to 7.3.20..

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2025-8899 vulnerability details – vuln.today

Back

CVE-2025-8899

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-8899

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code