How is CVE-2026-27333 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the WordPress installation to deliver a malicious serialized payload. Authentication (not-required): No account or session token is needed; the deserialization sink is reachable by any unauthenticated HTTP request. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator of the WordPress site. Attack complexity (info): Attack complexity is rated High, meaning exploitation is not trivially reliable and likely depends on environmental factors such as the presence of a suitable PHP gadget chain in the application's class scope or specific timing conditions.

What is the impact of CVE-2026-27333?

A successful attacker can read any data accessible to the PHP process, including WordPress database credentials, stored user records, and session tokens. The attacker can write or modify files and database rows, enabling defacement, backdoor installation, or manipulation of site content and user data. The attacker can crash or make the WordPress service unavailable by corrupting application state or consuming server resources through the deserialized payload. Because WordPress often runs with broad filesystem permissions, exploitation can extend beyond the plugin itself to the entire web root and any co-located applications.

Back to search

HIGHCVE-2026-27333Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-27333: WordPress Paid Videochat Turnkey Site plugin <= 7.3.23 - Deserialization of untrusted data vulnerability

Q: What is CVE-2026-27333?

This is a deserialization-of-untrusted-data vulnerability in the Paid Videochat Turnkey Site WordPress plugin by VideoWhisper.com, affecting all versions up to and including 7.3.23. An unauthenticated attacker can reach the vulnerable endpoint over the network and supply a crafted serialized payload, with no login or user interaction required. Successful exploitation gives the attacker full read, write, and availability impact on the affected system, which typically means remote code execution or complete data compromise depending on available PHP gadget chains. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available the moment a fix ships.

Q: Is CVE-2026-27333 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack and VideoWhisper.com advisories on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a safe target version becomes available.

Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a deserialization-of-untrusted-data vulnerability in the Paid Videochat Turnkey Site WordPress plugin by VideoWhisper.com, affecting all versions up to and including 7.3.23. An unauthenticated attacker can reach the vulnerable endpoint over the network and supply a crafted serialized payload, with no login or user interaction required. Successful exploitation gives the attacker full read, write, and availability impact on the affected system, which typically means remote code execution or complete data compromise depending on available PHP gadget chains. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available the moment a fix ships.

HarborGuard Coverage

Detection

Detection for CVE-2026-27333 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines. This matching covers custom-built WordPress images that bundle the Paid Videochat Turnkey Site plugin, not just official distribution images.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 HIGH and weighting it against each environment's compliance policy to determine urgency and escalation path. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack and VideoWhisper.com advisories on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a safe target version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the WordPress installation to deliver a malicious serialized payload.
AuthenticationNot required
No account or session token is needed; the deserialization sink is reachable by any unauthenticated HTTP request.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator of the WordPress site.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation is not trivially reliable and likely depends on environmental factors such as the presence of a suitable PHP gadget chain in the application's class scope or specific timing conditions.

Blast Radius

A successful attacker can read any data accessible to the PHP process, including WordPress database credentials, stored user records, and session tokens.
The attacker can write or modify files and database rows, enabling defacement, backdoor installation, or manipulation of site content and user data.
The attacker can crash or make the WordPress service unavailable by corrupting application state or consuming server resources through the deserialized payload.
Because WordPress often runs with broad filesystem permissions, exploitation can extend beyond the plugin itself to the entire web root and any co-located applications.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-27333 at this time, the platform monitors the Patchstack and VideoWhisper.com advisories on every ingest cycle and will surface a patched-image rebuild the moment a remediated version is published. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression-test run and a PR opened against affected workloads, with no manual steps required. While awaiting a patch, compensating controls worth considering include network-policy isolation to restrict inbound HTTP access to the WordPress installation to known trusted sources only, web application firewall rules that block or flag requests containing serialized PHP object patterns, and egress filtering on the container to limit the blast radius if exploitation occurs. Where compliance policy permits, HarborGuard can flag images containing this plugin version as non-compliant to block promotion to production until the advisory is resolved.

See how HarborGuard automates this

Affected packages

VideoWhisper.com / Paid Videochat Turnkey Site
≤ 7.3.23

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified