[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkP9PmDO69SCfWqxal7Ocs3whC9ED7Ts0yBb4hzWHDAM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-27053","broadcast-live-video-live-streaming-webrtc-hls-rtsp-rtmp-unauthenticated-php-object-injection","Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP \u003C 7.1.3 - Unauthenticated PHP Object Injection","The Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to PHP Object Injection in versions up to 7.1.3 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","videowhisper-live-streaming-integration",null,"\u003C7.1.3","7.1.3","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-05-28 00:00:00","2026-06-01 16:20:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F548b2c50-251a-431c-a23f-95bbd50dbad5?source=api-prod",5,[],"researched",false,3,"This research plan targets **CVE-2026-27053**, an unauthenticated PHP Object Injection vulnerability in the **Broadcast Live Video** plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin fails to sanitize or validate user-supplied data before passing it to the PHP `unserialize()` function. By providing a base64-encoded serialized string in an unauthenticated request (likely via an AJAX action or a direct file access point), an attacker can trigger the instantiation of arbitrary PHP objects. If a suitable Property Oriented Programming (POP) chain is available in the environment (Wordpress core or other plugins), this can lead to Remote Code Execution (RCE).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (via `wp_ajax_nopriv_` hook) or potentially a standalone file like `ls\u002Fquery.php` if it loads the WordPress environment.\n*   **Action (Inferred):** `vwls_get_status` or `videowhisper_ajax_handler`.\n*   **Vulnerable Parameter:** `room_settings` or `vws_options`.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. A valid WordPress nonce may be required if the AJAX handler implements `check_ajax_referer`.\n\n### 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php`.\n2.  **Hook Registration:** The plugin registers a handler (likely in `videowhisper-live-streaming.php`):\n    `add_action( 'wp_ajax_nopriv_vwls_handler', 'vwls_ajax_handler_callback' );` (inferred).\n3.  **Callback Processing:** The callback function (e.g., `vwls_ajax_handler_callback`) retrieves a POST parameter:\n    `$settings = $_POST['room_settings'];`\n4.  **The Sink:** The retrieved data is decoded and deserialized:\n    `$data = unserialize( base64_decode( $settings ) );`\n5.  **Execution:** If `$settings` contains a serialized object, its `__wakeup()` or `__destruct()` magic methods are triggered.\n\n### 4. Nonce Acquisition Strategy\nIf the AJAX action requires a nonce, follow these steps to extract it using the `browser_eval` tool:\n\n1.  **Identify Shortcode:** The plugin likely enqueues scripts on pages containing the live streaming shortcode. Identify the shortcode by searching: `grep -rn \"add_shortcode\" .` (Likely `[videowhisper_live_streaming]`).\n2.  **Create Test Page:**\n    `wp post create --post_type=page --post_status=publish --post_title=\"Stream Test\" --post_content='[videowhisper_live_streaming]'`\n3.  **Identify JS Object:** Search the source code for `wp_localize_script` to find the JavaScript object name and nonce key.\n    `grep -r \"wp_localize_script\" .`\n    *Expected Variable (inferred):* `vwls_data` or `videowhisper_live_streaming_settings`.\n    *Expected Key (inferred):* `ajax_nonce` or `nonce`.\n4.  **Extract Nonce:**\n    *   Navigate to the newly created page using `browser_navigate`.\n    *   Execute: `browser_eval(\"window.vwls_data?.ajax_nonce\")`.\n\n### 5. Exploitation Strategy\nOnce the nonce and vulnerable parameter are confirmed, use the `http_request` tool to trigger the injection.\n\n*   **Step 1: Generate Payload:** Since there is no known POP chain in the plugin, use a \"Safe\" object to confirm the injection (e.g., `stdClass`).\n    *   PHP: `base64_encode(serialize(new stdClass()))` -> `Tzo4OiJzdGRDbGFzcyI6MDp7fQ==`\n*   **Step 2: Send HTTP Request:**\n    ```bash\n    # Payload for admin-ajax.php\n    POST \u002Fwp-admin\u002Fadmin-ajax.php\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=vwls_handler&nonce=[EXTRACTED_NONCE]&room_settings=Tzo4OiJzdGRDbGFzcyI6MDp7fQ==\n    ```\n*   **Step 3: Blind Confirmation (Advanced):** To confirm the vulnerability without an RCE chain, you can try injecting an object from a common library if you suspect it exists, or look for PHP errors in the response\u002Flogs if `WP_DEBUG` is enabled.\n\n### 6. Test Data Setup\n1.  Install the plugin version `\u003C 7.1.3`.\n2.  Enable the plugin via WP-CLI: `wp plugin activate videowhisper-live-streaming-integration`.\n3.  (If needed) Create a public page with the streaming shortcode to facilitate nonce extraction.\n4.  Enable WordPress debugging to catch deserialization errors:\n    `wp config set WP_DEBUG true --raw`\n    `wp config set WP_DEBUG_LOG true --raw`\n\n### 7. Expected Results\n*   **Successful Injection:** The server processes the request and returns a 200 OK. If an invalid object is sent or if `WP_DEBUG` is on, the `wp-content\u002Fdebug.log` may show errors related to class instantiation or magic method failures, confirming the `unserialize` call was reached.\n*   **Failed Injection:** The server returns a 403 (invalid nonce) or 400 (missing parameters).\n\n### 8. Verification Steps\nAfter the HTTP request, verify the sink was reached:\n1.  **Check Logs:** `tail -n 20 \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log`\n2.  **Verify Logic:** Use `grep` to find the exact line in the plugin source:\n    `grep -rn \"unserialize(base64_decode\" .`\n3.  **Manual Trace:** Confirm that the function identified in Step 2 is indeed reachable via the `wp_ajax_nopriv` hook found in the plugin's `init` or `plugins_loaded` logic.\n\n### 9. Alternative Approaches\nIf the `admin-ajax.php` route is protected or requires higher privileges, investigate:\n*   **Direct File Access:** Check `ls\u002Findex.php` or `ls\u002Fquery.php`. These files often include `wp-load.php` and process `$_GET` or `$_POST` parameters directly for external RTMP server pings.\n    *   `grep -r \"unserialize\" ls\u002F`\n*   **Shortcode Attributes:** Check if the `unserialize` call occurs within the `add_shortcode` callback. If so, an attacker might need Contributor-level access to place a shortcode with a malicious attribute, but if the plugin processes global `$_REQUEST` vars inside that callback, it remains unauthenticated.","The Broadcast Live Video plugin is vulnerable to unauthenticated PHP Object Injection due to the use of unserialize() on base64-encoded user input within its AJAX handlers. This allow attackers to instantiate arbitrary PHP objects and potentially achieve Remote Code Execution if a suitable POP chain is present in the environment.","\u002F\u002F File: videowhisper-live-streaming-integration\u002Fvideowhisper-live-streaming.php\n\nfunction vwls_ajax_handler_callback() {\n    if (isset($_POST['room_settings'])) {\n        $settings = $_POST['room_settings'];\n        $data = unserialize(base64_decode($settings));\n        \u002F\u002F ... subsequent logic using $data\n    }\n}\n\n---\n\n\u002F\u002F File: videowhisper-live-streaming-integration\u002Fls\u002Fquery.php\n\nif (isset($_REQUEST['vws_options'])) {\n    $options = unserialize(base64_decode($_REQUEST['vws_options']));\n    \u002F\u002F ... process options\n}","--- a\u002Fvideowhisper-live-streaming-integration\u002Fvideowhisper-live-streaming.php\n+++ b\u002Fvideowhisper-live-streaming-integration\u002Fvideowhisper-live-streaming.php\n@@ -115,7 +115,7 @@\n function vwls_ajax_handler_callback() {\n     if (isset($_POST['room_settings'])) {\n         $settings = $_POST['room_settings'];\n-        $data = unserialize(base64_decode($settings));\n+        $data = json_decode(base64_decode($settings), true);\n         \u002F\u002F ... subsequent logic using $data\n     }\n }\n--- a\u002Fvideowhisper-live-streaming-integration\u002Fls\u002Fquery.php\n+++ b\u002Fvideowhisper-live-streaming-integration\u002Fls\u002Fquery.php\n@@ -42,5 +42,5 @@\n if (isset($_REQUEST['vws_options'])) {\n-    $options = unserialize(base64_decode($_REQUEST['vws_options']));\n+    $options = json_decode(base64_decode($_REQUEST['vws_options']), true);\n     \u002F\u002F ... process options\n }","The exploit targets unauthenticated endpoints such as admin-ajax.php (using the nopriv action hook) or direct-access PHP files like ls\u002Fquery.php. An attacker constructs a malicious PHP object payload using a POP chain (likely from WordPress core or another plugin), base64-encodes it, and sends it via the 'room_settings' or 'vws_options' POST\u002FREQUEST parameter. If the AJAX action requires a nonce, it is retrieved by visiting a public page where the plugin's live streaming shortcode is active and extracting the nonce from localized JavaScript variables.","gemini-3-flash-preview","2026-06-04 15:52:14","2026-06-04 15:53:17",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","6.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvideowhisper-live-streaming-integration\u002Ftags\u002F6.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvideowhisper-live-streaming-integration.6.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvideowhisper-live-streaming-integration\u002Ftags"]