Description

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an administrator account. This can also be exploited by contributors, but is far less likely to be successful because an administrator would need to approve the form with the administrator role for the attack to be successful.

INFO

Published Date :

2026-03-07T05:46:45.508Z

Last Modified :

2026-04-08T17:33:43.206Z

Source :

Wordfence
AFFECTED PRODUCTS

The following products are affected by CVE-2025-8899 vulnerability.

Vendors Products
Videowhisper
  • Paid Videochat Turnkey Site – Html5 Ppv Live Webcams
Wordpress
  • Wordpress
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-8899.

URL Resource
https://plugins.trac.wordpress.org/browser/ppv-live-webcams/trunk/inc/shortcodes.php#L2464 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset/3348788/ppv-live-webcams cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/f71fc65f-cdc1-4f20-b37e-849ade49ee41?source=cve cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact