Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable endpoint needs only a low-privilege Performer account (PR:L, AC:L); arbitrary deletion gives high integrity/availability impact and scope change, but no read primitive so C:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions.
AnalysisAI
Arbitrary file deletion in the VideoWhisper Paid Videochat Turnkey Site WordPress plugin (versions <= 7.4.8) lets an authenticated low-privilege 'Performer' account delete files outside the intended directory via path traversal. Because deleting critical WordPress files such as wp-config.php can force the site into setup mode and enable full takeover, the impact crosses a security boundary (scope change) and is rated CVSS 9.9. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session as the plugin's low-privilege 'Performer' role (CVSS PR:L), so the attacker must be able to register as, or otherwise obtain, a Performer account on a site running Paid Videochat Turnkey Site version 7.4.8 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H = 9.9) signals a network-reachable, low-complexity attack needing only a low-privilege authenticated session, no user interaction, and a scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privilege 'Performer' account on a WordPress site running Paid Videochat Turnkey Site <= 7.4.8, then sends an authenticated request to a vulnerable file-management endpoint with a traversal payload (e.g. a filename of '../../../../wp-config.php'). … |
| Remediation | No vendor-released patch version was identified in the provided data; the input confirms only that versions <= 7.4.8 are vulnerable. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations running VideoWhisper plugin version 7.4.8 or earlier and immediately deactivate the affected plugin. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Paid Videochat Turnkey Site
View allUnauthenticated PHP object injection in the Paid Videochat Turnkey Site WordPress plugin (versions 7.3.23 and earlier, a
Unauthenticated access control bypass in VideoWhisper.Com's Paid Videochat Turnkey Site WordPress plugin (versions throu
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40102
GHSA-752c-x542-h98f