CVE-2025-26753
Published: 25 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-26753 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the videowhisper-live-streaming-integration WordPress plugin, also known as Broadcast Live Video. This issue affects all versions up to and including 6.2, allowing attackers to bypass directory restrictions through manipulated pathnames.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges or user interaction, and high impact on confidentiality. Unauthenticated remote attackers can exploit it to achieve arbitrary file disclosure by traversing to restricted directories and downloading sensitive files.
Patchstack's advisory details this as an arbitrary file download vulnerability in plugin version 6.2, available at https://patchstack.com/database/Wordpress/Plugin/videowhisper-live-streaming-integration/vulnerability/wordpress-videowhisper-live-streaming-integration-plugin-6-2-arbitrary-file-download-vulnerability?_s_id=cve, and outlines mitigation recommendations for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing WordPress plugin enables unauthenticated remote file disclosure, directly mapping to exploitation of public-facing apps (T1190) and facilitating local system data collection via arbitrary file reads (T1005).