CVE-2026-27053

Vulnerability

The Broadcast Live Video plugin for WordPress (versions prior to 7.1.3) is vulnerable to unauthenticated PHP Object Injection. The vulnerability resides in the plugin's handling of user-supplied input that is passed to an unserialize() call without proper sanitization. No authentication or special configuration is required to reach the vulnerable code path. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious serialized PHP object to the affected endpoint. No authentication is needed, and the attack can be performed remotely over the network. The attacker must craft a payload that, when unserialized, triggers a POP (Property Oriented Programming) chain to achieve code execution. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code, perform SQL injection, path traversal, or cause denial of service, depending on the available POP gadgets. This can lead to full compromise of the WordPress site, including data theft, site defacement, and further propagation of attacks. The CVSS score of 9.8 reflects the critical severity and ease of exploitation. [1]

Mitigation

The vulnerability is fixed in version 7.1.3 of the Broadcast Live Video plugin. Users should update immediately. For those unable to update, Patchstack provides a virtual mitigation rule that blocks attacks until the update is applied. The plugin vendor has not announced any workarounds other than updating. [1]