CVE-2026-24937

Vulnerability

A code injection vulnerability exists in the VideoWhisper.Com Broadcast Live Video plugin for WordPress, affecting versions before 7.1.3. The flaw allows an attacker to inject and execute arbitrary code through improper control of code generation [1]. The vulnerability is present in the plugin's input handling mechanisms, likely triggered via crafted HTTP requests without requiring authentication.

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable endpoint. No authentication or user interaction is required, making the attack remotely exploitable over the network. The attacker injects malicious code that the plugin then executes within the server context.

Impact

Successful exploitation leads to remote code execution (RCE) on the target WordPress site. The attacker gains the ability to execute arbitrary commands, potentially leading to full site compromise, data theft, website defacement, or further propagation of attacks.

Mitigation

The vulnerability is fixed in version 7.1.3 of the Broadcast Live Video plugin. Users must update to this version or later immediately. If updating is not possible, consider contacting your hosting provider or web developer for assistance. No other workarounds are documented in available references [1].