CVE-2025-22663

High

Published: 18 February 2025

Published

18 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0022 44.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Path Traversal.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.2.12.

Security Summary

CVE-2025-22663 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the videowhisper Paid Videochat Turnkey Site ppv-live-webcams WordPress plugin. This issue affects all versions from n/a through 7.2.12. The vulnerability has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables path traversal, allowing arbitrary file deletion on the targeted system and resulting in denial of service through high availability disruption.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ppv-live-webcams/vulnerability/wordpress-paid-videochat-turnkey-site-plugin-7-2-12-arbitrary-file-deletion-vulnerability?_s_id=cve describes the issue as an arbitrary file deletion vulnerability in the WordPress Paid Videochat Turnkey Site plugin version 7.2.12.

Details

CWE(s): CWE-22

References

https://patchstack.com/database/Wordpress/Plugin/ppv-live-webcams/vulnerability/wordpress-paid-videochat-turnkey-site-plugin-7-2-12-arbitrary-file-deletion-vulnerability?_s_id=cve
audit@patchstack.com