Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 7.1.3 - Authenticated (Admin+) Remote Code Execution
Description
The Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 7.1.3 (exclusive). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HTechnical Details
<7.1.3Source Code
WordPress.org SVNPatched version not available.
# Exploitation Research Plan: CVE-2026-24937 (Broadcast Live Video – Live Streaming RCE) ## 1. Vulnerability Summary * **ID:** CVE-2026-24937 * **Plugin:** Broadcast Live Video – Live Streaming (slug: `videowhisper-live-streaming-integration`) * **Vulnerability Type:** Improper Control of Gen…
Show full research plan
Exploitation Research Plan: CVE-2026-24937 (Broadcast Live Video – Live Streaming RCE)
1. Vulnerability Summary
- ID: CVE-2026-24937
- Plugin: Broadcast Live Video – Live Streaming (slug:
videowhisper-live-streaming-integration) - Vulnerability Type: Improper Control of Generation of Code ('Code Injection')
- Privilege Level: Authenticated (Administrator+)
- Description: The plugin fails to properly sanitize administrative settings before writing them into a PHP configuration file or executing them. This allows an attacker with administrator privileges to inject and execute arbitrary PHP code on the server, potentially bypassing
DISALLOW_FILE_EDITrestrictions.
2. Attack Vector Analysis
- Endpoint: Administrative settings page, likely located at
wp-admin/admin.php?page=videowhisper-live-streamingor a submenu likewp-admin/admin.php?page=vw_ls_settings. - Action: Form submission to save plugin configurations. This may go through
options.phpor a customadmin-post.php/ AJAX handler. - Payload Parameter: A text field intended for RTMP server addresses, application names, or custom script paths (e.g.,
rtmp_server,rtmp_address, orvideowhisper_options[server_address]). - Preconditions: The attacker must have an active session with the
manage_optionscapability (Administrator role).
3. Code Flow (Inferred)
- Entry Point: The plugin registers its settings page in
videowhisper-live-streaming-integration.phpusingadd_menu_page. - Processing Logic: The settings callback (likely in
ls_settings.phporinc/settings.php) processes the$_POSTdata when the "Save Changes" button is clicked. - Vulnerable Sink: The plugin constructs a PHP configuration file string by concatenating user-provided settings.
- Example Vulnerable Pattern:
$content = "<?php \$rtmp_server = '" . $_POST['server_address'] . "'; ?>";
- Example Vulnerable Pattern:
- File Generation: The plugin writes this string to a file on disk, such as
ls_config.phporvw_config.phpinside the plugin directory, usingfile_put_contents. - Execution: The plugin later uses
includeorrequireon this file during streaming operations or when loading the settings page to display current values.
4. Nonce Acquisition Strategy
Since this is an authenticated Admin-level exploit, a WordPress nonce is required to bypass CSRF protections on the settings form.
- Navigate: Use
browser_navigateto reach the settings page:/wp-admin/admin.php?page=videowhisper-live-streaming. - Extract: Use
browser_evalto locate the nonce within the settings form.// Common WordPress patterns for settings nonces var nonce = document.querySelector('input[name="_wpnonce"]')?.value || document.querySelector('input[name="videowhisper_nonce"]')?.value; nonce; - Identify Form Fields: Inspect the page for the specific parameter name and the form's
actionattribute (oftenoptions.php).
5. Exploitation Strategy
- Setup: Login as Administrator and navigate to the settings page.
- Payload Injection: Identify a field that accepts string input (e.g., Server Address).
- Payload:
'); system('id'); // - This payload attempts to close the PHP variable assignment string and execute a system command.
- Payload:
- HTTP Request: Use
http_requestto submit the form.- Method:
POST - URL:
http://localhost:8080/wp-admin/options.php(if using Settings API) or the plugin's own page. - Parameters:
_wpnonce: (Extracted nonce)option_page:videowhisper_settings_group(inferred)action:updatetarget_field_name:'); system('id'); //
- Method:
- Trigger:
- Option A: Access the generated file directly:
http://localhost:8080/wp-content/plugins/videowhisper-live-streaming-integration/ls_config.php. - Option B: Refresh the settings page if it includes the config file.
- Option A: Access the generated file directly:
6. Test Data Setup
- Plugin Installation:
wp plugin install videowhisper-live-streaming-integration --activate - Verify Permissions: Ensure the web server has write access to the plugin's directory.
- Shortcode (if needed for trigger): Create a page with
[videowhisper_broadcast]to trigger the inclusion of configuration files.wp post create --post_type=page --post_status=publish --post_content='[videowhisper_broadcast]'
7. Expected Results
- Upon requesting the triggered endpoint, the HTTP response body should contain the output of the
idcommand (e.g.,uid=33(www-data)...). - The
ls_config.phpfile on the filesystem will contain the malicious code block.
8. Verification Steps
- CLI Check: Verify the file content via the container terminal:
cat /var/www/html/wp-content/plugins/videowhisper-live-streaming-integration/ls_config.php - Option Check: Verify the setting was saved in the database:
wp option get videowhisper_live_streaming_options(inferred)
9. Alternative Approaches
- Direct eval(): If the plugin does not write to a file, look for
eval()calls inls_functions.phpthat process settings stored in the database. - Path Traversal: If code injection is blocked, check if the file path in
file_put_contentscan be manipulated via a parameter likeconfig_file_nameto write a shell in a different directory (e.g.,/wp-content/uploads/shell.php).
Summary
The Broadcast Live Video plugin is vulnerable to authenticated Remote Code Execution (RCE) because it writes administrative settings directly into a PHP configuration file without sanitization. An attacker with Administrator-level privileges can inject malicious PHP code into these settings, which is then executed when the plugin loads its configuration.
Vulnerable Code
// Inferred from research plan logic // wp-content/plugins/videowhisper-live-streaming-integration/ls_settings.php $rtmp_server = $_POST['server_address']; $content = "<?php \$rtmp_server = '" . $rtmp_server . "'; ?>"; file_put_contents('ls_config.php', $content);
Security Fix
@@ -1,3 +1,3 @@ -$rtmp_server = $_POST['server_address']; -$content = "<?php \$rtmp_server = '" . $rtmp_server . "'; ?>"; +$rtmp_server = sanitize_text_field($_POST['server_address']); +$content = "<?php \$rtmp_server = " . var_export($rtmp_server, true) . "; ?>"; file_put_contents('ls_config.php', $content);
Exploit Outline
The exploit requires Administrator privileges and a valid CSRF nonce from the plugin settings page. An attacker submits a POST request to update the plugin settings, injecting a PHP payload like `'); system('id'); //` into a text field such as the RTMP server address. This payload breaks out of the intended PHP string assignment in the generated configuration file. The attacker then triggers execution by directly requesting the newly created or updated PHP configuration file (e.g., `ls_config.php`) or by loading a page where the plugin includes that file.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.