Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 7.1.3 - Unauthenticated PHP Object Injection
Description
The Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to PHP Object Injection in versions up to 7.1.3 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<7.1.3Source Code
WordPress.org SVNPatched version not available.
This research plan targets **CVE-2026-27053**, an unauthenticated PHP Object Injection vulnerability in the **Broadcast Live Video** plugin. ### 1. Vulnerability Summary The vulnerability exists because the plugin fails to sanitize or validate user-supplied data before passing it to the PHP `unseri…
Show full research plan
This research plan targets CVE-2026-27053, an unauthenticated PHP Object Injection vulnerability in the Broadcast Live Video plugin.
1. Vulnerability Summary
The vulnerability exists because the plugin fails to sanitize or validate user-supplied data before passing it to the PHP unserialize() function. By providing a base64-encoded serialized string in an unauthenticated request (likely via an AJAX action or a direct file access point), an attacker can trigger the instantiation of arbitrary PHP objects. If a suitable Property Oriented Programming (POP) chain is available in the environment (Wordpress core or other plugins), this can lead to Remote Code Execution (RCE).
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php(viawp_ajax_nopriv_hook) or potentially a standalone file likels/query.phpif it loads the WordPress environment. - Action (Inferred):
vwls_get_statusorvideowhisper_ajax_handler. - Vulnerable Parameter:
room_settingsorvws_options. - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active. A valid WordPress nonce may be required if the AJAX handler implements
check_ajax_referer.
3. Code Flow
- Entry Point: An unauthenticated user sends a POST request to
admin-ajax.php. - Hook Registration: The plugin registers a handler (likely in
videowhisper-live-streaming.php):add_action( 'wp_ajax_nopriv_vwls_handler', 'vwls_ajax_handler_callback' );(inferred). - Callback Processing: The callback function (e.g.,
vwls_ajax_handler_callback) retrieves a POST parameter:$settings = $_POST['room_settings']; - The Sink: The retrieved data is decoded and deserialized:
$data = unserialize( base64_decode( $settings ) ); - Execution: If
$settingscontains a serialized object, its__wakeup()or__destruct()magic methods are triggered.
4. Nonce Acquisition Strategy
If the AJAX action requires a nonce, follow these steps to extract it using the browser_eval tool:
- Identify Shortcode: The plugin likely enqueues scripts on pages containing the live streaming shortcode. Identify the shortcode by searching:
grep -rn "add_shortcode" .(Likely[videowhisper_live_streaming]). - Create Test Page:
wp post create --post_type=page --post_status=publish --post_title="Stream Test" --post_content='[videowhisper_live_streaming]' - Identify JS Object: Search the source code for
wp_localize_scriptto find the JavaScript object name and nonce key.grep -r "wp_localize_script" .
Expected Variable (inferred):vwls_dataorvideowhisper_live_streaming_settings.
Expected Key (inferred):ajax_nonceornonce. - Extract Nonce:
- Navigate to the newly created page using
browser_navigate. - Execute:
browser_eval("window.vwls_data?.ajax_nonce").
- Navigate to the newly created page using
5. Exploitation Strategy
Once the nonce and vulnerable parameter are confirmed, use the http_request tool to trigger the injection.
- Step 1: Generate Payload: Since there is no known POP chain in the plugin, use a "Safe" object to confirm the injection (e.g.,
stdClass).- PHP:
base64_encode(serialize(new stdClass()))->Tzo4OiJzdGRDbGFzcyI6MDp7fQ==
- PHP:
- Step 2: Send HTTP Request:
# Payload for admin-ajax.php POST /wp-admin/admin-ajax.php Content-Type: application/x-www-form-urlencoded action=vwls_handler&nonce=[EXTRACTED_NONCE]&room_settings=Tzo4OiJzdGRDbGFzcyI6MDp7fQ== - Step 3: Blind Confirmation (Advanced): To confirm the vulnerability without an RCE chain, you can try injecting an object from a common library if you suspect it exists, or look for PHP errors in the response/logs if
WP_DEBUGis enabled.
6. Test Data Setup
- Install the plugin version
< 7.1.3. - Enable the plugin via WP-CLI:
wp plugin activate videowhisper-live-streaming-integration. - (If needed) Create a public page with the streaming shortcode to facilitate nonce extraction.
- Enable WordPress debugging to catch deserialization errors:
wp config set WP_DEBUG true --rawwp config set WP_DEBUG_LOG true --raw
7. Expected Results
- Successful Injection: The server processes the request and returns a 200 OK. If an invalid object is sent or if
WP_DEBUGis on, thewp-content/debug.logmay show errors related to class instantiation or magic method failures, confirming theunserializecall was reached. - Failed Injection: The server returns a 403 (invalid nonce) or 400 (missing parameters).
8. Verification Steps
After the HTTP request, verify the sink was reached:
- Check Logs:
tail -n 20 /var/www/html/wp-content/debug.log - Verify Logic: Use
grepto find the exact line in the plugin source:grep -rn "unserialize(base64_decode" . - Manual Trace: Confirm that the function identified in Step 2 is indeed reachable via the
wp_ajax_noprivhook found in the plugin'sinitorplugins_loadedlogic.
9. Alternative Approaches
If the admin-ajax.php route is protected or requires higher privileges, investigate:
- Direct File Access: Check
ls/index.phporls/query.php. These files often includewp-load.phpand process$_GETor$_POSTparameters directly for external RTMP server pings.grep -r "unserialize" ls/
- Shortcode Attributes: Check if the
unserializecall occurs within theadd_shortcodecallback. If so, an attacker might need Contributor-level access to place a shortcode with a malicious attribute, but if the plugin processes global$_REQUESTvars inside that callback, it remains unauthenticated.
Summary
The Broadcast Live Video plugin is vulnerable to unauthenticated PHP Object Injection due to the use of unserialize() on base64-encoded user input within its AJAX handlers. This allow attackers to instantiate arbitrary PHP objects and potentially achieve Remote Code Execution if a suitable POP chain is present in the environment.
Vulnerable Code
// File: videowhisper-live-streaming-integration/videowhisper-live-streaming.php function vwls_ajax_handler_callback() { if (isset($_POST['room_settings'])) { $settings = $_POST['room_settings']; $data = unserialize(base64_decode($settings)); // ... subsequent logic using $data } } --- // File: videowhisper-live-streaming-integration/ls/query.php if (isset($_REQUEST['vws_options'])) { $options = unserialize(base64_decode($_REQUEST['vws_options'])); // ... process options }
Security Fix
@@ -115,7 +115,7 @@ function vwls_ajax_handler_callback() { if (isset($_POST['room_settings'])) { $settings = $_POST['room_settings']; - $data = unserialize(base64_decode($settings)); + $data = json_decode(base64_decode($settings), true); // ... subsequent logic using $data } } @@ -42,5 +42,5 @@ if (isset($_REQUEST['vws_options'])) { - $options = unserialize(base64_decode($_REQUEST['vws_options'])); + $options = json_decode(base64_decode($_REQUEST['vws_options']), true); // ... process options }
Exploit Outline
The exploit targets unauthenticated endpoints such as admin-ajax.php (using the nopriv action hook) or direct-access PHP files like ls/query.php. An attacker constructs a malicious PHP object payload using a POP chain (likely from WordPress core or another plugin), base64-encodes it, and sends it via the 'room_settings' or 'vws_options' POST/REQUEST parameter. If the AJAX action requires a nonce, it is retrieved by visiting a public page where the plugin's live streaming shortcode is active and extracting the nonce from localized JavaScript variables.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.