EUVD-2026-36915
GHSA-7jqc-9jj9-67rh
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network-reachable PHP deserialization yields PR:N/AV:N with full CIA impact; AC:H reflects dependence on an available gadget chain for reliable code execution.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.
AnalysisAI
Unauthenticated PHP object injection in the Paid Videochat Turnkey Site WordPress plugin (versions 7.3.23 and earlier, also marketed as 'ppv-live-webcams') allows remote attackers to deserialize untrusted data and potentially achieve full compromise of the underlying site. The flaw was reported by Patchstack and tracked as EUVD-2026-36915; no public exploit code or CISA KEV listing is identified at time of analysis, though the CVSS 8.1 score reflects confidentiality, integrity, and availability impact gated by high attack complexity.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the videowhisper.com Paid Videochat Turnkey Site plugin (ppv-live-webcams) at version 7.3.23 or earlier to be installed and active on a network-reachable WordPress site, with the vulnerable request handler exposed to anonymous users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H indicates network-reachable, unauthenticated exploitation with total CIA impact, but the AC:H qualifier signals that successful exploitation depends on conditions outside the attacker's control - likely the presence of a usable gadget chain or a specific plugin/theme combination. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote unauthenticated attacker submits a crafted HTTP request to a public endpoint of the ppv-live-webcams plugin containing a serialized PHP object payload that triggers a magic method (__wakeup, __destruct, or __toString) on a gadget class present in WordPress core or another loaded plugin. If a usable gadget chain exists in the target installation, the deserialization leads to arbitrary file write or code execution under the web server's user, resulting in full site takeover. … |
| Remediation | No vendor-released patched version is independently confirmed in the supplied data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/ppv-live-webcams/vulnerability/wordpress-paid-videochat-turnkey-site-plugin-7-3-23-deserialization-of-untrusted-data-vulnerability) and the NVD entry for the most current fixed release and upgrade beyond 7.3.23 as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations running Paid Videochat Turnkey Site / ppv-live-webcams plugin at versions 7.3.23 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today