CVE-2025-26752
Published: 25 February 2025
Description
Adversaries may delete files left behind by the actions of their intrusion activity.
Security Summary
CVE-2025-26752 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the videowhisper-live-streaming-integration WordPress plugin, also referred to as Broadcast Live Video. This flaw affects all versions of the plugin up to and including 6.2, allowing attackers to traverse path restrictions.
The vulnerability can be exploited by unauthenticated remote attackers over the network with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). Successful exploitation enables arbitrary file deletion, resulting in high impact to availability with a changed scope, potentially disrupting plugin functionality or broader site operations.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/videowhisper-live-streaming-integration/vulnerability/wordpress-videowhisper-live-streaming-integration-plugin-6-2-arbitrary-file-deletion-vulnerability?_s_id=cve details the arbitrary file deletion vulnerability in version 6.2 and provides guidance on mitigation for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal vuln in public-facing WordPress plugin enables remote unauthenticated exploitation of public-facing app (T1190) and arbitrary file deletion (T1070.004) impacting availability.