CVE-2026-24937 VideoWhisper.com CVE debrief

Who should care

WordPress site administrators using VideoWhisper Broadcast Live Video plugin; security teams managing WordPress deployments; hosting providers offering managed WordPress services

Technical summary

The Broadcast Live Video plugin for WordPress contains a code injection vulnerability (CWE-94) that permits remote code execution. The attack requires high privileges (administrative access) with no user interaction needed. The vulnerability affects all versions prior to 7.1.3. Successful exploitation could result in complete confidentiality, integrity, and availability compromise of the affected WordPress installation.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Broadcast Live Video plugin to version 7.1.3 or later
• Review administrative user accounts for unauthorized access or privilege escalation
• Audit plugin settings and custom code configurations for unexpected modifications
• Implement principle of least privilege for WordPress administrative accounts
• Enable web application firewall rules to detect code injection attempts
• Monitor server logs for suspicious code execution patterns
• Verify plugin integrity through checksum validation after update

Evidence notes

Vulnerability classification sourced from NVD with CVSS:3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. CWE-94 (Improper Control of Generation of Code) identified as primary weakness. Vendor attribution marked as low confidence requiring review; Patchstack identified as reference domain candidate.

Official resources