CVE-2025-8899

Name of the Vulnerable Software and Affected Versions Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress versions through 7.3.20

Description The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is susceptible to a privilege escalation issue. The videowhisper register form() function does not adequately restrict user roles during registration. This allows authenticated attackers with Author-level access or higher to create posts or pages containing a registration form configured to assign administrator privileges. Attackers can then utilize this form to register a new administrator account, effectively gaining administrative control. While contributors can also attempt this exploit, its success depends on an administrator approving the form with the administrator role assigned.

Recommendations Update the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress to version 7.3.21.