Skip to main content

WordPress CVE-2025-62081

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 15:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Channelize.io Team Live Shopping &amp; Shoppable Videos For WooCommerce live-shopping-video-streams allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live Shopping &amp; Shoppable Videos For WooCommerce: from n/a through <= 2.2.0.

AnalysisAI

Missing authorization in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin (versions up to 2.2.0) allows unauthenticated or low-privilege users to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862) where endpoint-level authorization checks are insufficient or absent, potentially allowing attackers to bypass intended security restrictions on sensitive functionality. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability at time of analysis.

Technical ContextAI

The vulnerability affects the Channelize.io Live Shopping & Shoppable Videos For WooCommerce WordPress plugin, which extends WooCommerce with live shopping and video commerce capabilities. The root cause is classified as CWE-862 (Missing Authorization), indicating that the plugin fails to properly validate user permissions before granting access to protected operations or endpoints. This is a common class of flaw in WordPress plugins where custom REST API endpoints, AJAX handlers, or action hooks lack proper capability checks (typically using WordPress functions like current_user_can() or similar permission validation). The plugin likely implements custom shopping or streaming functionality that requires role-based access control, but has not properly enforced those checks across all entry points.

Affected ProductsAI

Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin for WordPress is affected in all versions from the initial release through version 2.2.0 (inclusive). The vulnerability was discovered and reported by Patchstack (audit@patchstack.com). Administrators should check their active plugin version against this range. The affected product is identified as live-shopping-video-streams in the WordPress plugin ecosystem.

RemediationAI

Update the Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin to a version newer than 2.2.0 as soon as practical. Consult the official Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/live-shopping-video-streams/vulnerability/wordpress-live-shopping-shoppable-videos-for-woocommerce-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve) for specific patched version information and installation instructions. In the interim, administrators should review user roles and capabilities assigned to affected plugin features through WordPress role management, restrict access to live shopping functionality to trusted users only via WordPress capability management, and monitor access logs for unusual API or AJAX requests to the plugin's endpoints. After applying the patch, verify that proper capability checks (such as current_user_can()) are being enforced on all custom endpoints and actions.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2025-62081 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy