https://www.pluginvulnerabilities.com/2017/09/01/php-object-injection-vulnerability-in-videowhisper-live-streaming/

Recently we found that the plugin VideoWhisper Live Streaming contained a PHP object injection vulnerability.

The plugin makes the function vwls_calls() available through WordPress’ AJAX functionality whether the requester is logged in to WordPress or not (in the file /videowhisper_streaming.php ):

94 95 add_action( ‘wp_ajax_vwls’, array(‘VWliveStreaming’,’vwls_calls’)); add_action( ‘wp_ajax_nopriv_vwls’, array(‘VWliveStreaming’,’vwls_calls’));

add_action( ‘wp_ajax_vwls’, array(‘VWliveStreaming’,’vwls_calls’)); add_action( ‘wp_ajax_nopriv_vwls’,

Share This

We are using cookies on our website

Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.