Recently we found that the plugin VideoWhisper Live Streaming contained a PHP object injection vulnerability.
The plugin makes the function vwls_calls() available through WordPress’ AJAX functionality whether the requester is logged in to WordPress or not (in the file /videowhisper_streaming.php ):
94 95 add_action( ‘wp_ajax_vwls’, array(‘VWliveStreaming’,’vwls_calls’)); add_action( ‘wp_ajax_nopriv_vwls’, array(‘VWliveStreaming’,’vwls_calls’));
add_action( ‘wp_ajax_vwls’, array(‘VWliveStreaming’,’vwls_calls’)); add_action( ‘wp_ajax_nopriv_vwls’,
Source: Security Feed