CVE-2025-8899 is a critical privilege escalation vulnerability identified in the Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress, affecting all versions up to and including 7.3.20. The root cause is improper privilege management (CWE-269) in the videowhisper_register_form() function, which fails to restrict the user roles that can be assigned during the registration process. Authenticated users with Author-level permissions or higher can exploit this flaw by creating posts or pages containing a registration form that assigns the administrator role to new users. This enables them to register new administrator accounts without requiring administrator intervention, effectively escalating their privileges to full administrative control over the WordPress site. While contributors can also attempt exploitation, success depends on an administrator approving the form with the administrator role, making it less likely. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Although no known exploits are reported in the wild, the ease of exploitation and the critical nature of the impact make this a significant threat to affected sites. The vulnerability underscores the importance of strict role validation during user registration processes in WordPress plugins, especially those handling sensitive functions like user management and payment-enabled video chat services.

If exploited, this vulnerability allows attackers with relatively low-level authenticated access (Author role) to escalate their privileges to administrator level, granting full control over the WordPress site. This can lead to complete compromise of the website, including unauthorized access to sensitive user data, modification or deletion of content, installation of malicious plugins or backdoors, and disruption of service. The integrity of the site’s content and configuration can be undermined, and confidentiality of user and business data can be breached. For organizations relying on this plugin for live video chat and payment processing, the consequences include potential financial fraud, reputational damage, and regulatory compliance violations. The vulnerability’s network accessibility and lack of required user interaction increase the risk of automated or targeted attacks. Given the widespread use of WordPress and the popularity of video chat plugins, the scope of affected systems could be significant, especially for sites that have not applied patches or mitigations.

1. Immediately update the Paid Videochat Turnkey Site plugin to a patched version once available from the vendor. 2. Until an official patch is released, restrict Author-level and Contributor-level users from creating posts or pages that include registration forms by adjusting WordPress permissions or using content filtering plugins. 3. Implement custom code or plugins to validate and enforce allowed user roles during registration, explicitly disallowing assignment of administrator or other privileged roles. 4. Monitor user registrations and newly created administrator accounts closely for suspicious activity. 5. Audit existing administrator accounts for unauthorized additions and remove any suspicious accounts. 6. Employ web application firewalls (WAFs) with rules to detect and block attempts to exploit this registration form vulnerability. 7. Educate site administrators about the risk and encourage limiting the number of users with Author or higher roles. 8. Regularly review and harden WordPress user role assignments and capabilities to minimize privilege escalation risks. 9. Consider isolating critical administrative functions behind multi-factor authentication and IP restrictions to reduce impact if escalation occurs.