CVE-2025-49967

Vulnerability

Overview

The Live Sports Streamthunder WordPress plugin (versions up to and including 2.1) contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This security flaw exists because the plugin fails to implement proper nonce or token validation on state-changing requests, allowing an attacker to craft malicious requests that appear legitimate to the server [1].

Exploitation

Details

To exploit this vulnerability, an attacker must trick a privileged user (such as an administrator) into clicking a malicious link, visiting a crafted page, or submitting a specially designed form while that user is authenticated to the WordPress site [1]. No additional privileges are required for the attacker beyond the ability to deliver the crafted request to the target user. This attack vector is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation enables an attacker to force the authenticated privileged user to perform unintended actions under their current session [1]. This could include changing plugin settings, modifying content, creating new administrative accounts, or other actions the victim user is authorized to perform. The CVSS v3 base score is 4.3 (Medium), reflecting the need for user interaction and the potential for significant but limited-impact actions [1].

Mitigation

As an immediate action, users should update the Live Sports Streamthunder plugin to a version newer than 2.1, which presumably contains a fix for this CSRF issue [1]. For those unable to update promptly, it is recommended to contact the hosting provider or a web developer for assistance [1].