CVE-2025-8899
Published: 07 March 2026
Summary
CVE-2025-8899 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-8899 is a privilege escalation vulnerability affecting the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress in all versions up to and including 7.3.20. The issue stems from the videowhisper_register_form() function, which fails to restrict user roles that can be set during registration, as documented under CWE-269 (Improper Privilege Management). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-07.
Authenticated attackers with Author-level access or higher can exploit this by creating posts or pages that embed the registration form with the administrator role preselected. They can then submit the form to register a new administrator account, granting full control over the WordPress site. Contributors can attempt the same, but success is less likely as it requires an administrator to approve the form submission with the elevated role.
Advisories point to mitigation via a patch in changeset 3348788 for the ppv-live-webcams plugin, accessible through WordPress plugin trac. Additional details are available in the plugin's shortcodes.php source at line 2464 and Wordfence's threat intelligence report.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208352
Vulnerability details
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set…
more
during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an administrator account. This can also be exploited by contributors, but is far less likely to be successful because an administrator would need to approve the form with the administrator role for the attack to be successful.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a post-auth privilege escalation flaw allowing role manipulation during registration to create admin accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforcing least privilege prevents authenticated users like Authors from assigning administrator roles during registration via the flawed videowhisper_register_form() function.
Account management processes restrict unauthorized creation of elevated administrator accounts through embedded registration forms on posts or pages.
Timely flaw remediation by applying the patch in changeset 3348788 directly fixes the unrestricted user role assignment in the plugin's registration function.