How is CVE-2026-57331 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/S to trigger the flaw. Authentication (required): A low-privilege account (for example, a registered performer account) is sufficient; no administrative credentials are needed. Victim interaction (not-required): The attacker can complete the exploit entirely on their own without any action from another user or an administrator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental factors to succeed.

What is the impact of CVE-2026-57331?

An attacker can delete arbitrary files on the web server, including WordPress core files, plugin files, and configuration files such as wp-config.php. Deleting wp-config.php or similar configuration files triggers a WordPress reinstallation flow, which an attacker can exploit to take over the site. Critical system or application files outside the web root may also be reachable depending on server permissions, potentially disabling security tooling or logging agents running in the container. Because the CVSS scope token is Changed, impact extends beyond the WordPress application itself, meaning other services or data stores co-located in the environment are at risk of disruption or exposure.

Back to search

CRITICALCVE-2026-57331Published 2026-06-29Modified 2026-06-29CNA Patchstack

CVE-2026-57331: WordPress Paid Videochat Turnkey Site plugin <= 7.4.8 - Arbitrary File Deletion vulnerability

Q: What is CVE-2026-57331?

An arbitrary file deletion vulnerability affects the Paid Videochat Turnkey Site WordPress plugin at version 7.4.8 and below. The flaw is reachable over the network, requires only a low-privilege account (such as a performer account), and needs no interaction from other users. Successful exploitation lets an attacker delete arbitrary files on the host, which can destroy site content, remove security controls, or cause full service disruption alongside exposing or corrupting data. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available the moment upstream ships a fix.

Q: Is CVE-2026-57331 patched?

Because no upstream fix version exists, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is published. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file deletion vulnerability affects the Paid Videochat Turnkey Site WordPress plugin at version 7.4.8 and below. The flaw is reachable over the network, requires only a low-privilege account (such as a performer account), and needs no interaction from other users. Successful exploitation lets an attacker delete arbitrary files on the host, which can destroy site content, remove security controls, or cause full service disruption alongside exposing or corrupting data. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images running this plugin. Coverage extends to custom-built WordPress images that bundle the affected plugin.

Available

Triage

HarborGuard scores this finding at CVSS 9.9 Critical and weights it against each environment's compliance policy to determine priority routing. The resulting alert is directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version exists, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is published. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/S to trigger the flaw.
AuthenticationRequired
A low-privilege account (for example, a registered performer account) is sufficient; no administrative credentials are needed.
Victim interactionNot required
The attacker can complete the exploit entirely on their own without any action from another user or an administrator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental factors to succeed.

Blast Radius

An attacker can delete arbitrary files on the web server, including WordPress core files, plugin files, and configuration files such as wp-config.php.
Deleting wp-config.php or similar configuration files triggers a WordPress reinstallation flow, which an attacker can exploit to take over the site.
Critical system or application files outside the web root may also be reachable depending on server permissions, potentially disabling security tooling or logging agents running in the container.
Because the CVSS scope token is Changed, impact extends beyond the WordPress application itself, meaning other services or data stores co-located in the environment are at risk of disruption or exposure.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no upstream fix currently published. For environments running the affected plugin in container images, HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once videowhisper releases a remediated version. In the interim, compensating controls are available: network-policy rules can be configured to restrict inbound access to the WordPress installation to known IP ranges, and feature-flag or web-application-firewall gating can be applied to block requests targeting the vulnerable performer file-management endpoints. For customers with auto-remediation enabled, the moment a fix version is published the pipeline will rebuild the image, run regression tests, and open a PR against affected workloads; for high and critical severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

videowhisper / Paid Videochat Turnkey Site
≤ 7.4.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified