cleantalk
Vulnerabilities and Security Researches

Paid Videochat Turnkey Site – HTML5 PPV Live Webcams, CVE-2025-8899

CVE, Research URL

CVE-2025-8899

Home page URL

Security reports for Paid Videochat Turnkey Site – HTML5 PPV Live Webcams

Application

Paid Videochat Turnkey Site – HTML5 PPV Live Webcams

Published on
Mar 07, 2026
Research Description
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an administrator account. This can also be exploited by contributors, but is far less likely to be successful because an administrator would need to approve the form with the administrator role for the attack to be successful.
Affected versions
max 7.3.21.
Status
vulnerable
Previous vulnerability researches
Disable Admin Notices individually (CVE-2026-2410) , Apr 15, 2026
Disable Admin Notices individually (CVE-2024-52420) , Nov 16, 2024
New vulnerability
personal-authors-category (CVE-2026-1754) , Apr 16, 2026
UpMenu – Online ordering for restaurants (CVE-2026-1910) , Apr 16, 2026
Employee Directory – Staff Directory and Listing (CVE-2026-1279) , Apr 16, 2026
Advance Block Extend (CVE-2026-1646) , Apr 16, 2026
All push notification for WP (CVE-2026-0816) , Apr 16, 2026