Cyber Posture

CVE-2025-26753

High

Published: 25 February 2025

Published
25 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0026 49.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26753 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly prevents path traversal vulnerabilities by enforcing input validation mechanisms at entry points to reject or sanitize malicious pathnames like '../' sequences.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely identification, reporting, and patching of flaws such as this arbitrary file disclosure vulnerability in the videowhisper-live-streaming-integration plugin up to version 6.2.

AC-3 Access Enforcement partial match
prevent

AC-3 enforces access control policies to restrict unauthorized access to files and directories, mitigating improper pathname limitations that allow traversal to sensitive areas.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing WordPress plugin enables unauthenticated remote file disclosure, directly mapping to exploitation of public-facing apps (T1190) and facilitating local system data collection via arbitrary file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Broadcast Live Video videowhisper-live-streaming-integration allows Path Traversal.This issue affects Broadcast Live Video: from n/a through <= 6.2.

Deeper analysisAI

CVE-2025-26753 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the videowhisper-live-streaming-integration WordPress plugin, also known as Broadcast Live Video. This issue affects all versions up to and including 6.2, allowing attackers to bypass directory restrictions through manipulated pathnames.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges or user interaction, and high impact on confidentiality. Unauthenticated remote attackers can exploit it to achieve arbitrary file disclosure by traversing to restricted directories and downloading sensitive files.

Patchstack's advisory details this as an arbitrary file download vulnerability in plugin version 6.2, available at https://patchstack.com/database/Wordpress/Plugin/videowhisper-live-streaming-integration/vulnerability/wordpress-videowhisper-live-streaming-integration-plugin-6-2-arbitrary-file-download-vulnerability?_s_id=cve, and outlines mitigation recommendations for affected WordPress installations.

Details

CWE(s)
CWE-22

CVEs Like This One

CVE-2026-23536Shared CWE-22
CVE-2025-23422Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2025-10559Shared CWE-22
CVE-2025-67076Shared CWE-22
CVE-2026-5258Shared CWE-22
CVE-2025-25155Shared CWE-22
CVE-2024-51376Shared CWE-22
CVE-2024-13471Shared CWE-22
CVE-2026-27442Shared CWE-22

References