CVE-2026-27333 HIGH

CVE-2026-27333: WordPress Paid Videochat Turnkey Site plugin <= 7.3.23 - Deserialization of untrusted data vulnerability

Vendor Videowhisper.com
Product Paid Videochat Turnkey Site
Weakness CWE-502 · Unsafe deserialization
Published June 15, 2026
Last update June 15, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.

Explanation of Vulnerability in Simple Terms

02Summary

Paid Videochat Turnkey Site versions up to 7.3.23 contain a deserialization vulnerability that allows an attacker to execute arbitrary code on the server. The vulnerability requires high attack complexity but no authentication or user interaction. An attacker can exploit this by sending a specially crafted request to deserialize malicious data, leading to remote code execution.

What an attacker can do

03Attacker Capabilities

Run their own code on the server and take full control of the site.

Potential impact on your site

04Site Impact

Complete compromise of the site, including data theft, malware installation, and service disruption.

Conditions required to exploit

05Prerequisites

Network access to the vulnerable application; no authentication required.

Key dates

06Disclosure timeline

June 15, 2026 CVE published

Related vulnerabilities

08Related CVE