CVE-2025-62081
Lifecycle Timeline
2Description
Missing Authorization vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce live-shopping-video-streams allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through <= 2.2.0.
Analysis
Missing authorization in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin (versions up to 2.2.0) allows unauthenticated or low-privilege users to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862) where endpoint-level authorization checks are insufficient or absent, potentially allowing attackers to bypass intended security restrictions on sensitive functionality. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability at time of analysis.
Technical Context
The vulnerability affects the Channelize.io Live Shopping & Shoppable Videos For WooCommerce WordPress plugin, which extends WooCommerce with live shopping and video commerce capabilities. The root cause is classified as CWE-862 (Missing Authorization), indicating that the plugin fails to properly validate user permissions before granting access to protected operations or endpoints. This is a common class of flaw in WordPress plugins where custom REST API endpoints, AJAX handlers, or action hooks lack proper capability checks (typically using WordPress functions like current_user_can() or similar permission validation). The plugin likely implements custom shopping or streaming functionality that requires role-based access control, but has not properly enforced those checks across all entry points.
Affected Products
Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin for WordPress is affected in all versions from the initial release through version 2.2.0 (inclusive). The vulnerability was discovered and reported by Patchstack ([email protected]). Administrators should check their active plugin version against this range. The affected product is identified as live-shopping-video-streams in the WordPress plugin ecosystem.
Remediation
Update the Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin to a version newer than 2.2.0 as soon as practical. Consult the official Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/live-shopping-video-streams/vulnerability/wordpress-live-shopping-shoppable-videos-for-woocommerce-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve) for specific patched version information and installation instructions. In the interim, administrators should review user roles and capabilities assigned to affected plugin features through WordPress role management, restrict access to live shopping functionality to trusted users only via WordPress capability management, and monitor access logs for unusual API or AJAX requests to the plugin's endpoints. After applying the patch, verify that proper capability checks (such as current_user_can()) are being enforced on all custom endpoints and actions.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today