WordPress
CVE-2025-62081
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce live-shopping-video-streams allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through <= 2.2.0.
AnalysisAI
Missing authorization in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin (versions up to 2.2.0) allows unauthenticated or low-privilege users to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862) where endpoint-level authorization checks are insufficient or absent, potentially allowing attackers to bypass intended security restrictions on sensitive functionality. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability at time of analysis.
Technical ContextAI
The vulnerability affects the Channelize.io Live Shopping & Shoppable Videos For WooCommerce WordPress plugin, which extends WooCommerce with live shopping and video commerce capabilities. The root cause is classified as CWE-862 (Missing Authorization), indicating that the plugin fails to properly validate user permissions before granting access to protected operations or endpoints. This is a common class of flaw in WordPress plugins where custom REST API endpoints, AJAX handlers, or action hooks lack proper capability checks (typically using WordPress functions like current_user_can() or similar permission validation). The plugin likely implements custom shopping or streaming functionality that requires role-based access control, but has not properly enforced those checks across all entry points.
Affected ProductsAI
Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin for WordPress is affected in all versions from the initial release through version 2.2.0 (inclusive). The vulnerability was discovered and reported by Patchstack (audit@patchstack.com). Administrators should check their active plugin version against this range. The affected product is identified as live-shopping-video-streams in the WordPress plugin ecosystem.
RemediationAI
Update the Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin to a version newer than 2.2.0 as soon as practical. Consult the official Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/live-shopping-video-streams/vulnerability/wordpress-live-shopping-shoppable-videos-for-woocommerce-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve) for specific patched version information and installation instructions. In the interim, administrators should review user roles and capabilities assigned to affected plugin features through WordPress role management, restrict access to live shopping functionality to trusted users only via WordPress capability management, and monitor access logs for unusual API or AJAX requests to the plugin's endpoints. After applying the patch, verify that proper capability checks (such as current_user_can()) are being enforced on all custom endpoints and actions.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today