Skip to main content

Paid Videochat Turnkey Site CVE-2026-57331

| EUVDEUVD-2026-40102 CRITICAL
Path Traversal (CWE-22)
2026-06-29 Patchstack GHSA-752c-x542-h98f
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Network-reachable endpoint needs only a low-privilege Performer account (PR:L, AC:L); arbitrary deletion gives high integrity/availability impact and scope change, but no read primitive so C:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 15:17 vuln.today

DescriptionCVE.org

Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions.

AnalysisAI

Arbitrary file deletion in the VideoWhisper Paid Videochat Turnkey Site WordPress plugin (versions <= 7.4.8) lets an authenticated low-privilege 'Performer' account delete files outside the intended directory via path traversal. Because deleting critical WordPress files such as wp-config.php can force the site into setup mode and enable full takeover, the impact crosses a security boundary (scope change) and is rated CVSS 9.9. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain/register Performer account
Delivery
Authenticate to plugin endpoint
Exploit
Submit traversal filename parameter
Execution
Plugin deletes file outside directory
Persist
Remove wp-config.php to force setup mode
Impact
Hijack reinstall for site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session as the plugin's low-privilege 'Performer' role (CVSS PR:L), so the attacker must be able to register as, or otherwise obtain, a Performer account on a site running Paid Videochat Turnkey Site version 7.4.8 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H = 9.9) signals a network-reachable, low-complexity attack needing only a low-privilege authenticated session, no user interaction, and a scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege 'Performer' account on a WordPress site running Paid Videochat Turnkey Site <= 7.4.8, then sends an authenticated request to a vulnerable file-management endpoint with a traversal payload (e.g. a filename of '../../../../wp-config.php'). …
Remediation No vendor-released patch version was identified in the provided data; the input confirms only that versions <= 7.4.8 are vulnerable. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running VideoWhisper plugin version 7.4.8 or earlier and immediately deactivate the affected plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy