CVE-2026-27333

Vulnerability

The Paid Videochat Turnkey Site plugin for WordPress (versions 7.3.23 and earlier) contains an unauthenticated deserialization of untrusted data vulnerability. The flaw resides in the plugin's handling of serialized input without proper validation, allowing an attacker to inject arbitrary PHP objects. No authentication or special configuration is required to reach the affected code path.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request containing malicious serialized data to the vulnerable plugin endpoint. No prior access or user interaction is needed. The attacker only requires network connectivity to the target site.

Impact

Successful exploitation leads to arbitrary PHP object injection, which can enable remote code execution (RCE). An attacker may execute arbitrary commands, potentially gaining administrative access to the WordPress dashboard and full control over the affected site. This vulnerability is expected to be leveraged in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

Patchstack has issued a mitigation rule to block attacks until a patched version is applied. The vendor released version 7.3.24 to resolve the vulnerability; users should update immediately. If updating is not possible, enable auto-updates for vulnerable plugins via Patchstack or contact a web developer for assistance [1].