CVE-2025-49967
BaseFortify
Publication date: 2025-06-20
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the WordPress Live Sports Streamthunder plugin up to version 2.1. It allows an attacker to trick authenticated users with higher privileges into performing unwanted actions on the site without their consent. This can compromise site security by exploiting broken access control mechanisms. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized actions being executed by privileged users without their knowledge, potentially compromising the security and integrity of your website. Since the plugin is abandoned and no official fix is available, the risk remains unless a virtual patch is applied or the plugin is replaced. This could result in loss of control over site functions or unauthorized changes. [1]
What immediate steps should I take to mitigate this vulnerability?
Since the Live Sports Streamthunder plugin is abandoned and has no official fix, immediate mitigation steps include applying a virtual patch (vPatch) provided by Patchstack to protect your site. Additionally, it is strongly advised to urgently replace the vulnerable plugin with an alternative solution. Simply deactivating the plugin does not eliminate the threat. [1]