EUVD-2026-36913
GHSA-gfh6-hf96-9gf9
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated remote deserialization in a WordPress plugin endpoint (AV:N/AC:L/PR:N/UI:N); PHP object injection with available gadgets yields full C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
Articles & Coverage 1
AnalysisAI
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, data theft, or full site takeover when suitable gadget chains are present in the WordPress stack. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication and no user interaction required (PR:N/UI:N), exploitation is remote over the network (AV:N) against any WordPress site that has the VideoWhisper Broadcast Live Video plugin installed and activated at a version below 7.1.3 with the vulnerable endpoint reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to a high-priority issue: CVSS 9.8 with AV:N/AC:L/PR:N/UI:N indicates remote, network-reachable, unauthenticated exploitation with low complexity, and CWE-502 deserialization flaws are historically high-impact in PHP ecosystems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker sends a single crafted HTTP request to a vulnerable plugin endpoint of an internet-exposed WordPress site, embedding a serialized PHP object payload that targets a POP gadget chain present in WordPress or other installed plugins. When the plugin deserializes the input, the chained magic methods fire and trigger file writes, arbitrary code execution, or admin-level actions - leading to full site compromise. … |
| Remediation | Vendor-released patch: 7.1.3 - upgrade the Broadcast Live Video (VideoWhisper Live Streaming Integration) plugin to version 7.1.3 or later via the WordPress plugin dashboard or by deploying the fixed release from the vendor, per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/videowhisper-live-streaming-integration/vulnerability/wordpress-broadcast-live-video-plugin-7-1-3-php-object-injection-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Enumerate all WordPress instances running Broadcast Live Video plugin and record current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Unauthenticated PHP Object Injection in the WordPress plugin Integration for Contact Form 7 and Constant Contact (versio
Share
External POC / Exploit Code
Leaving vuln.today