External risk intelligence

Broadcast Live Video Plugin PHP Object Injection

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-27053

An unauthenticated PHP object injection vulnerability exists in live video broadcasting technology. This flaw could allow unauthorized remote system access and significant data compromise if reachable. Leadership should ensure security teams confirm relevance and exposure to this critical issue.

4Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-27053

The vulnerability affects a WordPress plugin designed for live video broadcasting. Such plugins are typically installed to provide public-facing web functionality, making the associated web endpoints commonly reachable from the internet as part of normal site operations.

PCI scan relevance

PCI Relevance for CVE-2026-27053

Yes

CVE-2026-27053 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is a critical unauthenticated PHP object injection that affects systems using Broadcast Live Video versions prior to 7.1.3. Its high CVSS score makes it relevant for PCI scanning.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability affects unauthenticated PHP object injection in live video broadcasting technology. Its high severity and network accessibility mean it could allow unauthorized access and manipulation of systems. Leadership should ensure their security teams are aware of this issue to confirm if their organization uses potentially affected software.

  • Allows unauthorized remote system access.
  • Potential for significant data compromise.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted data to the application. Since no authentication is required, any unauthenticated user can trigger this flaw, which can lead to complete system compromise.

  • No authentication needed.
  • PHP Object Injection.
  • Complete system compromise.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated PHP Object Injection in the Broadcast Live Video plugin could allow an attacker to execute arbitrary code when specific conditions are met, potentially leading to a compromise of the affected system.

  • System code execution.
  • Remote unauthenticated injection.
  • Full system compromise.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The owner of the Broadcast Live Video plugin, likely a website administrator or a platform team, should initiate the response. The first practical step is to identify all instances of the plugin across the organization's digital footprint, confirm if any are internet-facing or host critical data, and then designate an accountable owner for remediation.

  • Plugin owner to identify all affected instances.
  • Verify plugin reachability and business criticality.
  • Plan remediation based on confirmed risk.

Frequently asked questions

What is the Broadcast Live Video plugin?

Broadcast Live Video is a WordPress plugin that enables website owners to integrate live video streaming and broadcasting capabilities directly into their sites. It is commonly used by content creators and businesses to host real-time media feeds for their audiences.

How does CVE-2026-27053 work?

This vulnerability is classified as PHP Object Injection (CWE-502). It occurs when the plugin improperly handles untrusted data, allowing an attacker to insert malicious PHP objects into the application's memory. This can trick the server into executing unintended code or performing unauthorized actions.

Do I need to be logged in for an attacker to trigger this?

No, authentication is not required to trigger this vulnerability. An attacker can initiate the attack remotely without needing a user account or special permissions. This flaw is not triggered by standard user interactions, like simply viewing a video stream, but rather by specifically crafted data sent to the plugin's backend.

Is my site at risk if I use this plugin?

According to Halo Surface Signal, this plugin is designed to provide public-facing video functionality, which often makes its endpoints reachable from the internet. If your site uses an affected version and is accessible to the public, it is considered higher risk than internal-only applications.

How do I respond to this threat?

Your first step is to perform an inventory of your digital assets to locate all instances where the Broadcast Live Video plugin is installed. Once you have identified them, determine which instances are exposed to the internet or handle sensitive data to prioritize your remediation efforts.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished