CVE-2025-7812
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-08-29
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| videowhisper | video_share_vod | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Video Share VOD β Turnkey Video Site Builder Script WordPress plugin (up to version 2.7.6) is a Cross-Site Request Forgery (CSRF) issue. It occurs because the adminExport() function lacks proper nonce validation, allowing attackers to craft forged requests that can trick a site administrator into performing unintended actions. This can enable unauthenticated attackers to update plugin settings and execute remote code if the Server command execution setting is enabled.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized changes to plugin settings and remote code execution on the server. An attacker can exploit this by tricking an administrator into clicking a malicious link, potentially leading to full compromise of the WordPress site, data loss, or server takeover.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress site is running the Video Share VOD plugin version 2.7.6 or earlier and if the adminExport() function lacks nonce verification. Since the vulnerability is a Cross-Site Request Forgery (CSRF) issue exploitable via forged POST requests, you can monitor HTTP POST requests to the plugin's export settings endpoint for missing or invalid nonce parameters. For example, you can use network monitoring tools like tcpdump or Wireshark to capture POST requests to the WordPress admin export URL related to Video Share VOD and inspect if the '_wpnonce' parameter is missing or invalid. Additionally, on the server, you can check the plugin version by running a command to list the plugin version, such as: `wp plugin list --format=json | jq '.[] | select(.name=="video-share-vod") | .version'` if WP-CLI is installed. There is no direct command to detect exploitation attempts, but monitoring for unusual POST requests without valid nonces targeting the plugin's export functionality is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Video Share VOD plugin to version 2.7.7 or later, which includes nonce verification to prevent CSRF attacks on the adminExport() function. This update adds a security check that verifies the presence and validity of a WordPress nonce in POST requests, blocking unauthorized or forged requests. Until the update is applied, consider disabling the 'Server command execution' setting if possible, to reduce the risk of remote code execution. Additionally, restrict administrative access to trusted users and avoid clicking on suspicious links that could trigger forged requests. [1]