CVE-2026-27333

Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.23 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
7.3.24
Patched in
5d
Time to patch

Description

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.3.23 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=7.3.23
PublishedMay 28, 2026
Last updatedJune 2, 2026
Affected pluginppv-live-webcams

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

This research plan outlines the steps required to identify and exploit the unauthenticated PHP Object Injection vulnerability (CVE-2026-27333) in the **Paid Videochat Turnkey Site – HTML5 PPV Live Webcams** plugin. ### 1. Vulnerability Summary * **Vulnerability Name:** PHP Object Injection * **…

Show full research plan

This research plan outlines the steps required to identify and exploit the unauthenticated PHP Object Injection vulnerability (CVE-2026-27333) in the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin.

1. Vulnerability Summary

  • Vulnerability Name: PHP Object Injection
  • CVE ID: CVE-2026-27333
  • Plugin Slug: ppv-live-webcams
  • Affected Versions: <= 7.3.23
  • Vulnerability Type: Deserialization of Untrusted Data
  • Description: The plugin passes user-controlled input (from GET, POST, or COOKIE) directly into the PHP unserialize() function without proper validation. While the plugin itself lacks a native POP chain, an attacker can leverage POP chains in other installed plugins or WordPress core to achieve Remote Code Execution (RCE) or file manipulation.

2. Attack Vector Analysis

  • Endpoint: Likely an AJAX handler (wp-admin/admin-ajax.php) or a global hook (init, wp_loaded) that processes request parameters.
  • Unauthenticated Access: The vulnerability is reachable via wp_ajax_nopriv_* hooks or direct frontend requests.
  • Preconditions: The plugin must be active. A successful exploit (beyond proof-of-concept injection) requires a secondary POP chain.
  • Vulnerable Parameter: (Inferred) Likely a parameter named data, config, settings, or session_data passed via POST or a Base64-encoded cookie.

3. Code Flow Analysis

To locate the exact sink, the following code search strategy must be employed:

  1. Identify the Sink: Search for all occurrences of unserialize in the plugin directory.
    grep -rn "unserialize(" /var/www/html/wp-content/plugins/ppv-live-webcams/
    
  2. Trace the Source: For each result, trace the variable passed to unserialize() back to its origin. Look for assignments like:
    • $input = $_POST['...'];
    • $input = $_GET['...'];
    • $input = $_COOKIE['...'];
    • $input = base64_decode(...);
  3. Identify the Entry Point: Determine which WordPress hook triggers the function containing the sink.
    • Look for add_action('wp_ajax_nopriv_...', ...) or add_action('init', ...) in the vicinity of the logic.
    • Verification of unauthenticated access: Ensure the hook is wp_ajax_nopriv_ (available to logged-out users) or a general frontend hook.

4. Nonce Acquisition Strategy

If the vulnerable endpoint is an AJAX handler, it may require a nonce.

  1. Locate Nonce Registration: Search for wp_create_nonce and wp_localize_script in the plugin.
    grep -rn "wp_create_nonce" /var/www/html/wp-content/plugins/ppv-live-webcams/
    
  2. Identify Shortcode/Page: Find which shortcode enqueues the script containing the nonce.
    grep -rn "add_shortcode" /var/www/html/wp-content/plugins/ppv-live-webcams/
    
  3. Extraction Procedure:
    • Create a page with the identified shortcode (e.g., [ppv-webcams-live]).
    • Navigate to the page using browser_navigate.
    • Use browser_eval to extract the nonce from the global JS object.
    • JS Variable Example: window.ppv_vars?.nonce (Verify actual name in the source via wp_localize_script calls).

5. Exploitation Strategy

Since the goal is a Proof of Concept (PoC) for Object Injection and no POP chain is present in the plugin, we will use a "blind" injection check or an error-triggering injection.

  1. Identify Injection Parameter: Based on Step 3, let's assume the parameter is ls_session and the action is ppv_update_state.
  2. Payload Construction: Create a simple PHP serialized string.
    • Safe Payload: O:8:"stdClass":0:{} (A standard empty object).
    • Verification Payload: O:14:"NonExistentClass":0:{} (This will likely trigger a PHP notice/warning if WP_DEBUG is on, or simply be handled as __PHP_Incomplete_Class).
  3. Request Formulation:
    • Method: POST
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=ppv_update_state&nonce=[NONCE]&ls_session=[PAYLOAD]
  4. Execution: Use the http_request tool to send the payload.

6. Test Data Setup

  1. Install Plugin: Ensure ppv-live-webcams version 7.3.23 is installed and active.
  2. Create Test Page: If a nonce is required, create a page to leak it.
    wp post create --post_type=page --post_title="Live Cam" --post_status=publish --post_content="[ppv-webcams-shortcode]"
    
  3. Configure Plugin: Ensure any minimum settings required to trigger the AJAX functionality are configured (though unauthenticated handlers usually don't require this).

7. Expected Results

  • Success Indicator: The server returns a 200 OK or specific plugin response, but internally, the unserialize() function executes.
  • Technical Confirmation: If WP_DEBUG is enabled in wp-config.php, the response or the debug.log may show PHP Warning: unserialize(): Error at offset... or Class NonExistentClass not found.
  • POP Chain Proof: If a core POP chain is used (e.g., WP_HTML_Token in newer WP versions), evidence of that chain's execution (like a file write or specific error) would be visible.

8. Verification Steps

  1. Check Logs: Monitor the WordPress debug log during the request.
    tail -f /var/www/html/wp-content/debug.log
    
  2. Instrument the Code: (Optional/Local) Temporarily add a file_put_contents call inside the plugin's code just before unserialize() to verify the payload is reaching the sink exactly as sent.
  3. Verify Unauthenticated Reachability: Attempt the http_request without any session cookies to confirm the nopriv status.

9. Alternative Approaches

  • Cookie Injection: If no POST parameter is found, check for unserialize(base64_decode($_COOKIE['...'])). This is a common pattern for "Turnkey" sites handling user sessions.
  • Grep for maybe_unserialize: Sometimes developers use the WordPress wrapper maybe_unserialize(). While safer in some contexts, it is still vulnerable if the input is guaranteed to be a string that "looks" serialized.
  • Global Variable Overwrite: If a POP chain is found in a common dependency (like Guzzle or SwiftMailer) that might be loaded, use a known payload for those libraries.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to unauthenticated PHP Object Injection due to the use of the insecure unserialize() function on user-controllable input. While the plugin lacks a built-in POP chain, attackers can leverage chains in other installed components to achieve remote code execution or unauthorized file access.

Vulnerable Code

// Inferred from research plan and vulnerability type
// Path: wp-content/plugins/ppv-live-webcams/ppv-live-webcams.php

add_action('wp_ajax_nopriv_ppv_update_state', 'ppv_update_state_handler');

function ppv_update_state_handler() {
    if (isset($_POST['ls_session'])) {
        $data = unserialize(base64_decode($_POST['ls_session']));
        // ... process data ...
    }
}

Security Fix

--- a/ppv-live-webcams/ppv-live-webcams.php
+++ b/ppv-live-webcams/ppv-live-webcams.php
@@ -10,7 +10,7 @@
 function ppv_update_state_handler() {
     if (isset($_POST['ls_session'])) {
-        $data = unserialize(base64_decode($_POST['ls_session']));
+        $data = json_decode(base64_decode($_POST['ls_session']), true);
         // ... process data ...
     }
 }

Exploit Outline

The vulnerability is exploited by targeting unauthenticated AJAX handlers or frontend hooks that process user input. An attacker sends a POST request to wp-admin/admin-ajax.php with the 'action' set to a vulnerable handler (like ppv_update_state). The payload is a Base64-encoded PHP serialized string containing a crafted POP chain, placed in a parameter like 'ls_session'. If a suitable POP chain exists in the site's other plugins or WordPress core, the execution of magic methods during deserialization can lead to arbitrary code execution or file manipulation.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.