Weak Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Password Recovery Exploitation.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.3.11.
The vulnerability consists of a flawed implementation of the password recovery process, which can be exploited in a predictable manner or bypass user identity verification. An attacker without any privileges, acting remotely over the network, can abuse this mechanism to reset or take control of another user's account. The lack of required user interaction and the low complexity level of the attack make this vulnerability particularly easy to exploit.
An attacker can gain unauthorized access to user accounts on the site, leading to violation of confidentiality, integrity, and availability of data — including potentially taking full administrative control over the WordPress website.
The Paid Videochat Turnkey Site plugin should be updated to a version higher than 7.3.11. Patches available from the vendor should be applied according to references. It is also recommended to enforce password changes for all users and audit access logs for signs of exploitation.
WordPress plugin Paid Videochat Turnkey Site (ppv-live-webcams) by videowhisper, versions from unspecified to 7.3.11 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H