WordPress Plugin Vulnerabilities

Paid Videochat Turnkey Site <= 7.3.23 - Admin+ Remote Code Execution

Description

The plugin is vulnerable to Remote Code Execution. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
ppv-live-webcams
No known fix

References

CVE
CVE-2025-62959
URL
https://patchstack.com/database/wordpress/plugin/ppv-live-webcams/vulnerability/wordpress-paid-videochat-turnkey-site-plugin-7-3-22-remote-code-execution-rce-vulnerability

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Luciano Hanna
Verified
No
WPVDB ID
d248182f-22cb-4bfb-a471-35a0ca916187

Timeline

Publicly Published
2025-10-16 (about 5 months ago)
Added
2025-10-29 (about 5 months ago)
Last Updated
2026-01-06 (about 2 months ago)

Other

Published
Title
Published
2014-08-01
Title
WP-Super-Cache 1.3 - Remote Code Execution
Published
2026-01-15
Title
Event Tickets with Ticket Scanner < 2.8.6 - Unauthenticated Remote Code Execution
Published
2025-10-31
Title
Advanced Ads < 2.0.13 - Unauthenticated Limited Code Execution
Published
2025-01-21
Title
GamiPress < 7.2.2 - Unauthenticated Arbitrary Shortcode Execution via gamipress_do_shortcode() Function
Published
2020-04-19
Title
Media Library Assistant < 2.82 - Authenticated RCE