CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-31380

CVSS 9.8v3.1pub. 2025-04-17upd. 2026-04-23

Weak Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Password Recovery Exploitation.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.3.11.

🤖 AI Analysis
How it works

The vulnerability consists of a flawed implementation of the password recovery process, which can be exploited in a predictable manner or bypass user identity verification. An attacker without any privileges, acting remotely over the network, can abuse this mechanism to reset or take control of another user's account. The lack of required user interaction and the low complexity level of the attack make this vulnerability particularly easy to exploit.

Impact

An attacker can gain unauthorized access to user accounts on the site, leading to violation of confidentiality, integrity, and availability of data — including potentially taking full administrative control over the WordPress website.

Mitigation & patch

The Paid Videochat Turnkey Site plugin should be updated to a version higher than 7.3.11. Patches available from the vendor should be applied according to references. It is also recommended to enforce password changes for all users and audit access logs for signs of exploitation.

Who is affected

WordPress plugin Paid Videochat Turnkey Site (ppv-live-webcams) by videowhisper, versions from unspecified to 7.3.11 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References