CVE-2025-26752 Overview
CVE-2025-26752 is a path traversal vulnerability in the VideoWhisper Broadcast Live Video plugin (videowhisper-live-streaming-integration) for WordPress. The flaw allows unauthenticated attackers to delete arbitrary files on the server by manipulating file path parameters. The vulnerability affects all plugin versions up to and including 6.2 and is classified under CWE-22. Successful exploitation can corrupt WordPress installations, disable security controls, or enable follow-on remote code execution by deleting wp-config.php and forcing a setup state.
Critical Impact
Unauthenticated network attackers can delete arbitrary files outside the plugin's intended directory, resulting in availability loss and potential takeover of the affected WordPress site.
Affected Products
- VideoWhisper Broadcast Live Video plugin for WordPress
- All versions from n/a through <= 6.2
- WordPress sites with the videowhisper-live-streaming-integration plugin installed and active
Discovery Timeline
- 2025-02-25 - CVE-2025-26752 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-26752
Vulnerability Analysis
The vulnerability stems from improper limitation of a pathname to a restricted directory within the VideoWhisper Broadcast Live Video plugin. The plugin accepts user-controllable input that is used to construct a file path for a delete operation without sufficient sanitization or canonicalization. An attacker can supply traversal sequences such as ../ to escape the intended directory and reference arbitrary files on the host filesystem.
Because the flaw is reachable over the network without authentication or user interaction, exploitation requires only a crafted HTTP request to the vulnerable plugin endpoint. The impact is scoped to integrity-adjacent availability loss: deleted files cannot be recovered without backups. Deletion of critical WordPress files such as wp-config.php triggers the WordPress installation wizard, which an attacker can use to point the site at an attacker-controlled database and achieve site takeover.
Root Cause
The root cause is missing validation of file path input before passing it to a file deletion function. The plugin does not verify that the resolved canonical path remains within an allowed base directory, nor does it strip directory traversal sequences. This maps directly to CWE-22: Improper Limitation of a Pathname to a Restricted Directory.
Attack Vector
The attack vector is network-based via HTTP requests to the WordPress site hosting the vulnerable plugin. No authentication or user interaction is required. The attacker sends a request to the plugin handler with a manipulated file path parameter containing traversal sequences. The handler resolves the path relative to the plugin directory and invokes a delete operation, removing the targeted file from the server.
No verified public proof-of-concept code is available. Refer to the Patchstack Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-26752
Indicators of Compromise
- HTTP requests to plugin endpoints under /wp-content/plugins/videowhisper-live-streaming-integration/ containing ../ or URL-encoded traversal sequences such as %2e%2e%2f
- Unexpected absence of WordPress core files including wp-config.php, .htaccess, or index.php
- WordPress installation wizard appearing on a previously configured site
- File deletion events in webserver or PHP logs targeting paths outside the plugin directory
Detection Strategies
- Inspect webserver access logs for POST or GET requests to VideoWhisper plugin handlers containing path traversal patterns
- Monitor filesystem integrity for unauthorized deletions in the WordPress document root
- Correlate plugin endpoint access with subsequent file modification or deletion telemetry
Monitoring Recommendations
- Enable file integrity monitoring (FIM) on the WordPress wp-content, wp-admin, and wp-includes directories
- Forward webserver and PHP-FPM logs to a centralized SIEM for traversal pattern matching
- Alert on HTTP 200 responses to plugin endpoints followed by missing core file errors
How to Mitigate CVE-2025-26752
Immediate Actions Required
- Deactivate and remove the VideoWhisper Broadcast Live Video plugin until a patched version is confirmed installed
- Audit the WordPress installation for missing or unexpectedly deleted files and restore from known-good backups
- Apply Web Application Firewall (WAF) rules to block requests containing directory traversal sequences to plugin endpoints
Patch Information
At the time of this writing, the Patchstack advisory lists versions through 6.2 as affected. Administrators should upgrade to the latest available release of videowhisper-live-streaming-integration and verify the installed version is greater than 6.2. Subscribe to the WordPress plugin repository update channel for this plugin.
Workarounds
- Remove the plugin entirely if a patched version is not yet available
- Restrict access to the plugin's PHP handlers using webserver ACLs or .htaccess rules until a fix is applied
- Deploy WAF signatures that block ../, ..\\, and URL-encoded traversal payloads targeting /wp-content/plugins/videowhisper-live-streaming-integration/
- Run WordPress with filesystem permissions that prevent the webserver user from deleting files outside wp-content/uploads
# Example WAF rule (ModSecurity) to block traversal against the plugin path
SecRule REQUEST_URI "@contains /wp-content/plugins/videowhisper-live-streaming-integration/" \
"chain,deny,status:403,id:1026752,msg:'CVE-2025-26752 path traversal attempt'"
SecRule ARGS|REQUEST_URI "@rx (\.\./|\.\.\\|%2e%2e(%2f|%5c))" "t:none,t:lowercase,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
