Paid Videochat Turnkey Site
Monthly
Unauthenticated PHP object injection in the Paid Videochat Turnkey Site WordPress plugin (versions 7.3.23 and earlier, also marketed as 'ppv-live-webcams') allows remote attackers to deserialize untrusted data and potentially achieve full compromise of the underlying site. The flaw was reported by Patchstack and tracked as EUVD-2026-36915; no public exploit code or CISA KEV listing is identified at time of analysis, though the CVSS 8.1 score reflects confidentiality, integrity, and availability impact gated by high attack complexity.
Unauthenticated access control bypass in VideoWhisper.Com's Paid Videochat Turnkey Site WordPress plugin (versions through 7.3.23) allows remote attackers to access restricted resources without authorization, resulting in partial information disclosure. The plugin (known by slug ppv-live-webcams) fails to enforce authorization checks on one or more endpoints, enabling any unauthenticated network actor to exploit incorrectly configured access control security levels. No public exploit code has been identified and CISA KEV does not list this vulnerability, though SSVC data confirms the attack is automatable, raising the potential for scripted mass scanning.
Unauthenticated PHP object injection in the Paid Videochat Turnkey Site WordPress plugin (versions 7.3.23 and earlier, also marketed as 'ppv-live-webcams') allows remote attackers to deserialize untrusted data and potentially achieve full compromise of the underlying site. The flaw was reported by Patchstack and tracked as EUVD-2026-36915; no public exploit code or CISA KEV listing is identified at time of analysis, though the CVSS 8.1 score reflects confidentiality, integrity, and availability impact gated by high attack complexity.
Unauthenticated access control bypass in VideoWhisper.Com's Paid Videochat Turnkey Site WordPress plugin (versions through 7.3.23) allows remote attackers to access restricted resources without authorization, resulting in partial information disclosure. The plugin (known by slug ppv-live-webcams) fails to enforce authorization checks on one or more endpoints, enabling any unauthenticated network actor to exploit incorrectly configured access control security levels. No public exploit code has been identified and CISA KEV does not list this vulnerability, though SSVC data confirms the attack is automatable, raising the potential for scripted mass scanning.