CVE-2025-62080

Vulnerability

Overview

The Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io's Live Shopping & Shoppable Videos For WooCommerce plugin (versions up to and including 2.2.0) allows an unauthenticated attacker to trick a logged-in administrator into performing unintended actions. This occurs because the plugin does not validate or verify the origin of requests when processing sensitive operations [1].

Exploitation

Details

To exploit this vulnerability, an attacker must craft a malicious link or form that, when clicked or submitted by an authenticated administrator, triggers a state-changing request to the WordPress site. The attack requires user interaction—the victim must be logged in and perform an action such as clicking a link or visiting a crafted page. No special privileges are needed for the attacker beyond the ability to deliverability of the malicious payload [1].

Impact

Successful exploitation could allow an attacker to force the victim to execute unwanted actions under their current authentication, such as modifying plugin settings, creating new admin users, or performing other administrative tasks. This can lead to partial loss of integrity and availability, though the CVSS score of 4.3 (Medium) reflects the requirement for user interaction [1].

Mitigation

The vendor has not released a patched version as of the publication date. Users are advised to update the plugin immediately if a fix becomes available. As a workaround, administrators should avoid clicking suspicious links while logged in, and consider using security plugins that add CSRF tokens or same-origin checks. This vulnerability is noted as being used in mass-exploit campaigns, so prompt action is recommended [1].