Skip to main content

Paid Videochat Turnkey Site CVE-2026-24590

| EUVD-2026-31806 MEDIUM
Missing Authorization (CWE-862)
2026-05-26 Patchstack GHSA-vqrw-78h5-gqqr
Authentication Bypass Paid Videochat Turnkey Site
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:54 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in VideoWhisper.Com Paid Videochat Turnkey Site allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.23.

AnalysisAI

Unauthenticated access control bypass in VideoWhisper.Com's Paid Videochat Turnkey Site WordPress plugin (versions through 7.3.23) allows remote attackers to access restricted resources without authorization, resulting in partial information disclosure. The plugin (known by slug ppv-live-webcams) fails to enforce authorization checks on one or more endpoints, enabling any unauthenticated network actor to exploit incorrectly configured access control security levels. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Scan for WordPress sites with plugin installed
Exploit
Send unauthenticated HTTP request to unprotected endpoint
Execution
Bypass missing authorization check
Impact
Receive restricted data in server response
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No authentication is required - the CVSS vector (PR:N) confirms unauthenticated exploitation is possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS scores this at 5.3 Medium, consistent with unauthenticated network access yielding only partial information disclosure (C:L, I:N, A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker enumerates WordPress sites running the Paid Videochat Turnkey Site plugin using automated scanning tools, then sends a crafted HTTP request directly to an unprotected plugin endpoint - such as an AJAX action or REST route - that lacks authorization verification. The server responds with restricted data (e.g., user details, session tokens, or configuration values) that should require authentication to access. …
Remediation The primary recommended action is to update the Paid Videochat Turnkey Site plugin to a version beyond 7.3.23. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-24590 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy