CVE-2026-24937

Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 7.1.3 - Authenticated (Admin+) Remote Code Execution

highImproper Control of Generation of Code ('Code Injection')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
7.1.3
Patched in
2d
Time to patch

Description

The Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 7.1.3 (exclusive). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<7.1.3
PublishedMay 25, 2026
Last updatedMay 26, 2026

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24937 (Broadcast Live Video – Live Streaming RCE) ## 1. Vulnerability Summary * **ID:** CVE-2026-24937 * **Plugin:** Broadcast Live Video – Live Streaming (slug: `videowhisper-live-streaming-integration`) * **Vulnerability Type:** Improper Control of Gen…

Show full research plan

Exploitation Research Plan: CVE-2026-24937 (Broadcast Live Video – Live Streaming RCE)

1. Vulnerability Summary

  • ID: CVE-2026-24937
  • Plugin: Broadcast Live Video – Live Streaming (slug: videowhisper-live-streaming-integration)
  • Vulnerability Type: Improper Control of Generation of Code ('Code Injection')
  • Privilege Level: Authenticated (Administrator+)
  • Description: The plugin fails to properly sanitize administrative settings before writing them into a PHP configuration file or executing them. This allows an attacker with administrator privileges to inject and execute arbitrary PHP code on the server, potentially bypassing DISALLOW_FILE_EDIT restrictions.

2. Attack Vector Analysis

  • Endpoint: Administrative settings page, likely located at wp-admin/admin.php?page=videowhisper-live-streaming or a submenu like wp-admin/admin.php?page=vw_ls_settings.
  • Action: Form submission to save plugin configurations. This may go through options.php or a custom admin-post.php / AJAX handler.
  • Payload Parameter: A text field intended for RTMP server addresses, application names, or custom script paths (e.g., rtmp_server, rtmp_address, or videowhisper_options[server_address]).
  • Preconditions: The attacker must have an active session with the manage_options capability (Administrator role).

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers its settings page in videowhisper-live-streaming-integration.php using add_menu_page.
  2. Processing Logic: The settings callback (likely in ls_settings.php or inc/settings.php) processes the $_POST data when the "Save Changes" button is clicked.
  3. Vulnerable Sink: The plugin constructs a PHP configuration file string by concatenating user-provided settings.
    • Example Vulnerable Pattern: $content = "<?php \$rtmp_server = '" . $_POST['server_address'] . "'; ?>";
  4. File Generation: The plugin writes this string to a file on disk, such as ls_config.php or vw_config.php inside the plugin directory, using file_put_contents.
  5. Execution: The plugin later uses include or require on this file during streaming operations or when loading the settings page to display current values.

4. Nonce Acquisition Strategy

Since this is an authenticated Admin-level exploit, a WordPress nonce is required to bypass CSRF protections on the settings form.

  1. Navigate: Use browser_navigate to reach the settings page: /wp-admin/admin.php?page=videowhisper-live-streaming.
  2. Extract: Use browser_eval to locate the nonce within the settings form.
    // Common WordPress patterns for settings nonces
    var nonce = document.querySelector('input[name="_wpnonce"]')?.value || 
                document.querySelector('input[name="videowhisper_nonce"]')?.value;
    nonce;
    
  3. Identify Form Fields: Inspect the page for the specific parameter name and the form's action attribute (often options.php).

5. Exploitation Strategy

  1. Setup: Login as Administrator and navigate to the settings page.
  2. Payload Injection: Identify a field that accepts string input (e.g., Server Address).
    • Payload: '); system('id'); //
    • This payload attempts to close the PHP variable assignment string and execute a system command.
  3. HTTP Request: Use http_request to submit the form.
    • Method: POST
    • URL: http://localhost:8080/wp-admin/options.php (if using Settings API) or the plugin's own page.
    • Parameters:
      • _wpnonce: (Extracted nonce)
      • option_page: videowhisper_settings_group (inferred)
      • action: update
      • target_field_name: '); system('id'); //
  4. Trigger:
    • Option A: Access the generated file directly: http://localhost:8080/wp-content/plugins/videowhisper-live-streaming-integration/ls_config.php.
    • Option B: Refresh the settings page if it includes the config file.

6. Test Data Setup

  1. Plugin Installation: wp plugin install videowhisper-live-streaming-integration --activate
  2. Verify Permissions: Ensure the web server has write access to the plugin's directory.
  3. Shortcode (if needed for trigger): Create a page with [videowhisper_broadcast] to trigger the inclusion of configuration files.
    • wp post create --post_type=page --post_status=publish --post_content='[videowhisper_broadcast]'

7. Expected Results

  • Upon requesting the triggered endpoint, the HTTP response body should contain the output of the id command (e.g., uid=33(www-data)...).
  • The ls_config.php file on the filesystem will contain the malicious code block.

8. Verification Steps

  1. CLI Check: Verify the file content via the container terminal:
    cat /var/www/html/wp-content/plugins/videowhisper-live-streaming-integration/ls_config.php
  2. Option Check: Verify the setting was saved in the database:
    wp option get videowhisper_live_streaming_options (inferred)

9. Alternative Approaches

  • Direct eval(): If the plugin does not write to a file, look for eval() calls in ls_functions.php that process settings stored in the database.
  • Path Traversal: If code injection is blocked, check if the file path in file_put_contents can be manipulated via a parameter like config_file_name to write a shell in a different directory (e.g., /wp-content/uploads/shell.php).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Broadcast Live Video plugin is vulnerable to authenticated Remote Code Execution (RCE) because it writes administrative settings directly into a PHP configuration file without sanitization. An attacker with Administrator-level privileges can inject malicious PHP code into these settings, which is then executed when the plugin loads its configuration.

Vulnerable Code

// Inferred from research plan logic
// wp-content/plugins/videowhisper-live-streaming-integration/ls_settings.php

$rtmp_server = $_POST['server_address'];
$content = "<?php \$rtmp_server = '" . $rtmp_server . "'; ?>";
file_put_contents('ls_config.php', $content);

Security Fix

--- videowhisper-live-streaming-integration/ls_settings.php
+++ videowhisper-live-streaming-integration/ls_settings.php
@@ -1,3 +1,3 @@
-$rtmp_server = $_POST['server_address'];
-$content = "<?php \$rtmp_server = '" . $rtmp_server . "'; ?>";
+$rtmp_server = sanitize_text_field($_POST['server_address']);
+$content = "<?php \$rtmp_server = " . var_export($rtmp_server, true) . "; ?>";
 file_put_contents('ls_config.php', $content);

Exploit Outline

The exploit requires Administrator privileges and a valid CSRF nonce from the plugin settings page. An attacker submits a POST request to update the plugin settings, injecting a PHP payload like `'); system('id'); //` into a text field such as the RTMP server address. This payload breaks out of the intended PHP string assignment in the generated configuration file. The attacker then triggers execution by directly requesting the newly created or updated PHP configuration file (e.g., `ls_config.php`) or by loading a page where the plugin includes that file.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.