The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams WordPress plugin suffers from improper privilege management (CWE-269) in the videowhisper_register_form() function. This function fails to restrict which user roles can be assigned during registration, enabling authenticated users with Author-level permissions or above to create posts or pages containing registration forms that assign the administrator role. Consequently, these users can register new administrator accounts without proper authorization. Contributors can attempt this attack but require an administrator to approve the form with the administrator role, making exploitation less likely. The vulnerability affects all versions up to 7.3.20. The CVSS v3.1 base score is 8.8, indicating high severity, with network attack vector, low attack complexity, privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. There is no information about an available patch or official vendor advisory at this time.

Successful exploitation allows authenticated users with Author-level or higher privileges to escalate their privileges to administrator by registering new administrator accounts via manipulated registration forms. This compromises the confidentiality, integrity, and availability of the affected WordPress site, potentially allowing full control over site content and settings. Contributors may attempt exploitation but require administrator approval, reducing likelihood. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Author-level and higher user permissions to prevent creation of posts/pages with registration forms or monitor such content closely. Limit the ability to create or approve registration forms that assign elevated roles. Avoid granting unnecessary Author-level or higher privileges to untrusted users.