Cyber Resilience

CVE-2025-8899

High

Published: 07 March 2026

Published
07 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 28.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-8899 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-8899 is a privilege escalation vulnerability affecting the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress in all versions up to and including 7.3.20. The issue stems from the videowhisper_register_form() function, which fails to restrict user roles that can be set during registration, as documented under CWE-269 (Improper Privilege Management). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-07.

Authenticated attackers with Author-level access or higher can exploit this by creating posts or pages that embed the registration form with the administrator role preselected. They can then submit the form to register a new administrator account, granting full control over the WordPress site. Contributors can attempt the same, but success is less likely as it requires an administrator to approve the form submission with the elevated role.

Advisories point to mitigation via a patch in changeset 3348788 for the ppv-live-webcams plugin, accessible through WordPress plugin trac. Additional details are available in the plugin's shortcodes.php source at line 2464 and Wordfence's threat intelligence report.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set…

more

during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an administrator account. This can also be exploited by contributors, but is far less likely to be successful because an administrator would need to approve the form with the administrator role for the attack to be successful.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a post-auth privilege escalation flaw allowing role manipulation during registration to create admin accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23896Shared CWE-269
CVE-2025-27639Shared CWE-269
CVE-2025-26705Shared CWE-269
CVE-2015-10139Shared CWE-269
CVE-2026-8972Shared CWE-269
CVE-2025-0893Shared CWE-269
CVE-2026-6769Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2025-48613Shared CWE-269
CVE-2025-48645Shared CWE-269

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforcing least privilege prevents authenticated users like Authors from assigning administrator roles during registration via the flawed videowhisper_register_form() function.

prevent

Account management processes restrict unauthorized creation of elevated administrator accounts through embedded registration forms on posts or pages.

prevent

Timely flaw remediation by applying the patch in changeset 3348788 directly fixes the unrestricted user role assignment in the plugin's registration function.

References