PatchSiren cyber security CVE debrief
CVE-2026-24590 VideoWhisper.com CVE debrief
A Missing Authorization vulnerability (CWE-862) in the Paid Videochat Turnkey Site WordPress plugin allows exploitation of incorrectly configured access control security levels. The vulnerability affects versions from n/a through 7.3.23. The CVSS 3.1 score of 5.3 (MEDIUM) indicates network-accessible attack vector with low attack complexity, no required privileges or user interaction, and low confidentiality impact with no integrity or availability impact. The CVE was published on 2026-05-26 and modified later the same day. The vulnerability status is currently marked as 'Deferred' in the NVD. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- VideoWhisper.com
- Product
- Paid Videochat Turnkey Site
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using the Paid Videochat Turnkey Site plugin; security teams managing WordPress content management systems; compliance officers tracking access control vulnerabilities in web applications
Technical summary
The Paid Videochat Turnkey Site WordPress plugin contains a Missing Authorization vulnerability classified under CWE-862. The flaw permits attackers to exploit incorrectly configured access control security levels, potentially allowing unauthorized access to functionality that should require authentication or elevated privileges. The vulnerability exists in all versions through 7.3.23. The attack is network-accessible with low complexity and requires no authentication, though impact is limited to low confidentiality loss with no integrity or availability effects.
Defensive priority
medium
Recommended defensive actions
- Review WordPress installations for the Paid Videochat Turnkey Site plugin (ppv-live-webcams) and upgrade to a version newer than 7.3.23 if available
- Apply principle of least privilege to all WordPress user accounts and API endpoints
- Monitor access logs for unauthorized access attempts to videochat administrative functions
- Verify plugin update availability through official WordPress plugin repository or vendor channels
- Consider implementing Web Application Firewall rules to restrict access to sensitive plugin endpoints pending patch availability
Evidence notes
Vulnerability identified through Patchstack security research. Vendor attribution marked as 'Unknown Vendor' with low confidence based on reference domain analysis; requires review. CPE criteria not yet available in source data.
Official resources
-
CVE-2026-24590 CVE record
CVE.org
-
CVE-2026-24590 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
2026-05-26