CVE-2025-8899 - Vulnerability Analysis

Overview

Paid Videochat Turnkey Site – HTML5 PPV Live Webcams WordPress plugin <= 7.3.20 contains a privilege escalation caused by insufficient restriction of user roles in videowhisper_register_form(), letting authenticated attackers with Author-level access or above escalate to administrator, exploit requires authenticated user with Author or Contributor role.

Severity & Score

Impact

Authenticated attackers can escalate privileges to administrator, gaining full control over the site.

Mitigation

Update to a version later than 7.3.20 or the latest available version.

References

• https://plugins.trac.wordpress.org/browser/ppv-live-webcams/trunk/inc/shortcodes.php#L2464
• https://plugins.trac.wordpress.org/changeset/3348788/ppv-live-webcams
• https://www.wordfence.com/threat-intel/vulnerabilities/id/f71fc65f-cdc1-4f20-b37e-849ade49ee41?source=cve

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2025-8899 - High (8.8) The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles tha... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-8899/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner