Critical CVE-2026-57331 Allows Arbitrary File Deletion in Videochat Plugin

CVE-2026-57331, published on June 29, 2026, reveals a critical vulnerability in the Paid Videochat Turnkey Site Plugin versions 7.4.8 and earlier. This flaw, categorized as a path traversal issue (CWE-22), allows authenticated users with performer privileges to delete arbitrary files on the system. The potential impact includes data loss and service disruption, with a CVSS score of 9.9 indicating severe risk. Currently, there is no public proof-of-concept or evidence of exploitation, but immediate updates to version 7.4.9 or later are recommended. Security advisories have been issued, urging users to restrict performer account permissions and monitor file system activity. The vulnerability affects users of the Paid Videochat Turnkey Site Plugin on WordPress. Organizations are advised to audit performer account access logs to mitigate risks.

Key Points: • CVE-2026-57331 allows arbitrary file deletion in Paid Videochat Turnkey Site Plugin <= 7.4.8. • The vulnerability has a CVSS score of 9.9, indicating critical severity. • Immediate updates to version 7.4.9 or later are necessary to mitigate risks.