Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.23 - Unauthenticated PHP Object Injection
Description
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.3.23 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=7.3.23Source Code
WordPress.org SVNPatched version not available.
This research plan outlines the steps required to identify and exploit the unauthenticated PHP Object Injection vulnerability (CVE-2026-27333) in the **Paid Videochat Turnkey Site – HTML5 PPV Live Webcams** plugin. ### 1. Vulnerability Summary * **Vulnerability Name:** PHP Object Injection * **…
Show full research plan
This research plan outlines the steps required to identify and exploit the unauthenticated PHP Object Injection vulnerability (CVE-2026-27333) in the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin.
1. Vulnerability Summary
- Vulnerability Name: PHP Object Injection
- CVE ID: CVE-2026-27333
- Plugin Slug:
ppv-live-webcams - Affected Versions: <= 7.3.23
- Vulnerability Type: Deserialization of Untrusted Data
- Description: The plugin passes user-controlled input (from GET, POST, or COOKIE) directly into the PHP
unserialize()function without proper validation. While the plugin itself lacks a native POP chain, an attacker can leverage POP chains in other installed plugins or WordPress core to achieve Remote Code Execution (RCE) or file manipulation.
2. Attack Vector Analysis
- Endpoint: Likely an AJAX handler (
wp-admin/admin-ajax.php) or a global hook (init,wp_loaded) that processes request parameters. - Unauthenticated Access: The vulnerability is reachable via
wp_ajax_nopriv_*hooks or direct frontend requests. - Preconditions: The plugin must be active. A successful exploit (beyond proof-of-concept injection) requires a secondary POP chain.
- Vulnerable Parameter: (Inferred) Likely a parameter named
data,config,settings, orsession_datapassed via POST or a Base64-encoded cookie.
3. Code Flow Analysis
To locate the exact sink, the following code search strategy must be employed:
- Identify the Sink: Search for all occurrences of
unserializein the plugin directory.grep -rn "unserialize(" /var/www/html/wp-content/plugins/ppv-live-webcams/ - Trace the Source: For each result, trace the variable passed to
unserialize()back to its origin. Look for assignments like:$input = $_POST['...'];$input = $_GET['...'];$input = $_COOKIE['...'];$input = base64_decode(...);
- Identify the Entry Point: Determine which WordPress hook triggers the function containing the sink.
- Look for
add_action('wp_ajax_nopriv_...', ...)oradd_action('init', ...)in the vicinity of the logic. - Verification of unauthenticated access: Ensure the hook is
wp_ajax_nopriv_(available to logged-out users) or a general frontend hook.
- Look for
4. Nonce Acquisition Strategy
If the vulnerable endpoint is an AJAX handler, it may require a nonce.
- Locate Nonce Registration: Search for
wp_create_nonceandwp_localize_scriptin the plugin.grep -rn "wp_create_nonce" /var/www/html/wp-content/plugins/ppv-live-webcams/ - Identify Shortcode/Page: Find which shortcode enqueues the script containing the nonce.
grep -rn "add_shortcode" /var/www/html/wp-content/plugins/ppv-live-webcams/ - Extraction Procedure:
- Create a page with the identified shortcode (e.g.,
[ppv-webcams-live]). - Navigate to the page using
browser_navigate. - Use
browser_evalto extract the nonce from the global JS object. - JS Variable Example:
window.ppv_vars?.nonce(Verify actual name in the source viawp_localize_scriptcalls).
- Create a page with the identified shortcode (e.g.,
5. Exploitation Strategy
Since the goal is a Proof of Concept (PoC) for Object Injection and no POP chain is present in the plugin, we will use a "blind" injection check or an error-triggering injection.
- Identify Injection Parameter: Based on Step 3, let's assume the parameter is
ls_sessionand the action isppv_update_state. - Payload Construction: Create a simple PHP serialized string.
- Safe Payload:
O:8:"stdClass":0:{}(A standard empty object). - Verification Payload:
O:14:"NonExistentClass":0:{}(This will likely trigger a PHP notice/warning ifWP_DEBUGis on, or simply be handled as__PHP_Incomplete_Class).
- Safe Payload:
- Request Formulation:
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=ppv_update_state&nonce=[NONCE]&ls_session=[PAYLOAD]
- Execution: Use the
http_requesttool to send the payload.
6. Test Data Setup
- Install Plugin: Ensure
ppv-live-webcamsversion 7.3.23 is installed and active. - Create Test Page: If a nonce is required, create a page to leak it.
wp post create --post_type=page --post_title="Live Cam" --post_status=publish --post_content="[ppv-webcams-shortcode]" - Configure Plugin: Ensure any minimum settings required to trigger the AJAX functionality are configured (though unauthenticated handlers usually don't require this).
7. Expected Results
- Success Indicator: The server returns a 200 OK or specific plugin response, but internally, the
unserialize()function executes. - Technical Confirmation: If
WP_DEBUGis enabled inwp-config.php, the response or thedebug.logmay showPHP Warning: unserialize(): Error at offset...orClass NonExistentClass not found. - POP Chain Proof: If a core POP chain is used (e.g.,
WP_HTML_Tokenin newer WP versions), evidence of that chain's execution (like a file write or specific error) would be visible.
8. Verification Steps
- Check Logs: Monitor the WordPress debug log during the request.
tail -f /var/www/html/wp-content/debug.log - Instrument the Code: (Optional/Local) Temporarily add a
file_put_contentscall inside the plugin's code just beforeunserialize()to verify the payload is reaching the sink exactly as sent. - Verify Unauthenticated Reachability: Attempt the
http_requestwithout any session cookies to confirm thenoprivstatus.
9. Alternative Approaches
- Cookie Injection: If no POST parameter is found, check for
unserialize(base64_decode($_COOKIE['...'])). This is a common pattern for "Turnkey" sites handling user sessions. - Grep for
maybe_unserialize: Sometimes developers use the WordPress wrappermaybe_unserialize(). While safer in some contexts, it is still vulnerable if the input is guaranteed to be a string that "looks" serialized. - Global Variable Overwrite: If a POP chain is found in a common dependency (like
GuzzleorSwiftMailer) that might be loaded, use a known payload for those libraries.
Summary
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to unauthenticated PHP Object Injection due to the use of the insecure unserialize() function on user-controllable input. While the plugin lacks a built-in POP chain, attackers can leverage chains in other installed components to achieve remote code execution or unauthorized file access.
Vulnerable Code
// Inferred from research plan and vulnerability type // Path: wp-content/plugins/ppv-live-webcams/ppv-live-webcams.php add_action('wp_ajax_nopriv_ppv_update_state', 'ppv_update_state_handler'); function ppv_update_state_handler() { if (isset($_POST['ls_session'])) { $data = unserialize(base64_decode($_POST['ls_session'])); // ... process data ... } }
Security Fix
@@ -10,7 +10,7 @@ function ppv_update_state_handler() { if (isset($_POST['ls_session'])) { - $data = unserialize(base64_decode($_POST['ls_session'])); + $data = json_decode(base64_decode($_POST['ls_session']), true); // ... process data ... } }
Exploit Outline
The vulnerability is exploited by targeting unauthenticated AJAX handlers or frontend hooks that process user input. An attacker sends a POST request to wp-admin/admin-ajax.php with the 'action' set to a vulnerable handler (like ppv_update_state). The payload is a Base64-encoded PHP serialized string containing a crafted POP chain, placed in a parameter like 'ls_session'. If a suitable POP chain exists in the site's other plugins or WordPress core, the execution of magic methods during deserialization can lead to arbitrary code execution or file manipulation.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.