What is the CVSS score of EUVD-2026-31763?

EUVD-2026-31763 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Broadcast Live Video are affected by EUVD-2026-31763?

A code injection vulnerability in the VideoWhisper Broadcast Live Video WordPress plugin (versions before 7.1.3) could allow a compromised administrator account to execute malicious code on your…. A patch is available.

How to fix or mitigate EUVD-2026-31763?

Within 24 hours: Identify all WordPress sites using the VideoWhisper Broadcast Live Video plugin and confirm their current versions. Within 7 days: Test version 7.1.3 patch in non-production environments, then begin deployment to production systems. Within 30 days: Complete patch deployment to all production systems and audit administrator access logs for any suspicious activity.

Broadcast Live Video EUVD-2026-31763

| CVE-2026-24937 HIGH

Code Injection (CWE-94)

2026-05-25 Patchstack

GHSA-296g-v265-85g6

Code Injection RCE Broadcast Live Video

7.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 09:46 vuln.today

Patch available

May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in VideoWhisper.Com Broadcast Live Video allows Code Injection.

This issue affects Broadcast Live Video: from n/a before 7.1.3.

AnalysisAI

Authenticated code injection in the VideoWhisper Broadcast Live Video WordPress plugin (versions before 7.1.3) lets a high-privileged user execute arbitrary PHP on the underlying host, yielding full confidentiality, integrity, and availability loss on the WordPress instance. No public exploit identified at time of analysis, and EPSS exploitation probability sits at 0.04% (14th percentile), but SSVC rates the technical impact as total. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain WordPress admin credentials

Delivery

Authenticate to wp-admin

Exploit

Submit crafted input to Broadcast Live Video config

Execution

Trigger PHP code injection sink

Persist

Execute arbitrary code as web user

Impact

Install webshell and pivot

Access

Obtain WordPress admin credentials

Delivery

Authenticate to wp-admin

Exploit

Submit crafted input to Broadcast Live Video config

Execution

Trigger PHP code injection sink

Persist

Execute arbitrary code as web user

Impact

Install webshell and pivot

Vulnerability AssessmentAI

Exploitation	Exploitation requires an authenticated session with high privileges on the WordPress instance (CVSS PR:H), which in practice means an administrator-class account able to reach the VideoWhisper Broadcast Live Video plugin's configuration or broadcast-management interface; the plugin must be installed and active at a version below 7.1.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Risk is moderate and conditional, not urgent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained WordPress administrator credentials - for example via phishing, credential reuse, or a prior privilege escalation - logs into wp-admin and submits a crafted value to a Broadcast Live Video configuration field that is later evaluated as PHP, causing the WordPress process to execute attacker-supplied code and giving the attacker a webshell on the host. No public POC is currently identified, so any attempt would require independent vulnerability research against the patched 7.1.3 diff.
Remediation	Vendor-released patch: 7.1.3 - upgrade the VideoWhisper Live Streaming Integration plugin to 7.1.3 or later via the WordPress plugin updater or by replacing the plugin directory from the official source, then verify the installed version under Plugins. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress sites using the VideoWhisper Broadcast Live Video plugin and confirm their current versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

EUVD-2026-31763 vulnerability details – vuln.today

Back

Broadcast Live Video EUVD-2026-31763

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code