HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-27053Published Modified CNA Patchstack

CVE-2026-27053: WordPress Broadcast Live Video plugin < 7.1.3 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
7.1.3
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

PHP Object Injection is an unauthenticated remote code execution class of vulnerability affecting the Broadcast Live Video WordPress plugin by VideoWhisper.com in versions below 7.1.3. The CVSS vector shows the vulnerability is reachable over the network with no authentication and no user interaction required. Successful exploitation gives an attacker full confidentiality, integrity, and availability impact on the host, enabling arbitrary code execution, data theft, or complete service takeover. A patched-image rebuild at version 7.1.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Any image carrying a Broadcast Live Video version below 7.1.3 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.8 Critical and is capable of weighting that score against each customer's per-environment compliance policy to determine urgency tier. Triage routing is available to direct the finding to the right team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Broadcast Live Video 7.1.3 becomes available through HarborGuard once the fix version is confirmed in the upstream advisory record. For customers who opt into auto-remediation, HarborGuard is capable of performing a rebuild, running a regression test suite against the updated image, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.

  • AuthenticationNot required

    No account or session token is needed; the injection can be triggered by any unauthenticated HTTP request.

  • Victim interactionNot required

    No victim action such as clicking a link or visiting a page is required for the attack to succeed.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and repeatable without depending on race conditions, memory layout, or other environmental factors.

Blast Radius

  • Reads arbitrary files on the server, including WordPress configuration files containing database credentials and secret keys.
  • Writes or modifies files on the server, enabling an attacker to plant malicious code or alter existing application logic.
  • Executes arbitrary operating system commands under the web server process account, giving the attacker a foothold on the host.
  • Crashes or degrades the WordPress service, resulting in full denial of service for site visitors and administrators.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical-severity PHP Object Injection is matched against customer images within minutes of CVE publication, covering any WordPress-based image that bundles the Broadcast Live Video plugin below version 7.1.3. Where compliance policy permits, HarborGuard can trigger a patched-image rebuild at version 7.1.3, run automated regression tests against the rebuilt image, and open a pull request against affected workloads. For environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for Critical-severity issues is around 90 minutes. Customers who have not yet enabled auto-remediation can review the flagged findings in the HarborGuard dashboard and initiate a rebuild manually. Because this vulnerability requires no authentication and is trivially exploitable over the network, prioritizing the upgrade to 7.1.3 or temporarily restricting network access to the affected WordPress endpoint via network policy is strongly recommended until the patched image is deployed.

See how HarborGuard automates this

Fix available

7.1.3
Affected packages
  • VideoWhisper.com / Broadcast Live Video
    < 7.1.3 (from n/a)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References