{"id":71093,"date":"2025-09-03T23:41:12","date_gmt":"2025-09-03T23:41:12","guid":{"rendered":""},"modified":"2025-10-02T00:14:29","modified_gmt":"2025-10-02T06:14:29","slug":"cve-2025-7812-critical-cross-site-request-forgery-vulnerability-in-video-share-vod-wordpress-plugin","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-7812-critical-cross-site-request-forgery-vulnerability-in-video-share-vod-wordpress-plugin\/","title":{"rendered":"<strong>CVE-2025-7812: Critical Cross-Site Request Forgery Vulnerability in Video Share VOD WordPress Plugin<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>In the digital landscape, WordPress plugins are often an easy target for cybercriminals due to their widespread use and occasional security oversights. The latest to join the list of vulnerable plugins is the Video Share VOD &#8211; Turnkey Video Site Builder Script plugin, which has been found to possess a critical Cross-Site Request Forgery (CSRF) vulnerability. This flaw, identified as CVE-2025-7812, can potentially <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-7734-critical-gitlab-ce-ee-vulnerability-allows-unauthorized-actions-by-attackers\/\"  data-wpil-monitor-id=\"79497\">allow unauthenticated attackers to perform damaging actions<\/a>, provided they can deceive a site administrator into clicking on a malicious link.<br \/>\nThe severity of this issue lies in its <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-54145-firefox-ios-qr-scanner-vulnerability-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"78757\">potential for system<\/a> compromise or data leakage, thereby threatening the security of countless websites powered by WordPress and using this plugin. Given the CVSS Severity Score of 8.8, we understand the urgency to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-58280-object-heap-address-exposure-vulnerability-in-ark-ets\/\"  data-wpil-monitor-id=\"87252\">address this vulnerability<\/a> promptly.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-7812<br \/>\nSeverity: High (CVSS: 8.8)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: Required<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-23311-stack-overflow-vulnerability-in-nvidia-triton-inference-server-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"78806\">Potential system<\/a> compromise or data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-2787739034\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 720px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 22px; font-weight: 600; display: flex; align-items: center; letter-spacing: -0.02em;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 10px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 42px; height: 42px;\" \/>\r\n    <\/a>\r\n    Share secrets securely\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 14px; color: #d1d5db;\">\r\n    Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 18px; color: #a1a1aa;\">\r\n    Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 24px; color: #e4e4e7;\">\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Encrypted identity<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Private Spaces for organizations and teams<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 End-to-end encrypted chat, calls, files, and notes<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Sensitive AI work and protected collaboration<\/li>\r\n    <li>\u2022 Built for information that cannot leak<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px; color: #ffffff;\">\r\n    Our mission is to secure human work alongside AI.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 8px; font-weight: 500;\">\r\n      Download Ameeba\r\n    <\/a>\r\n\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 8px; font-weight: 500;\">\r\n      Learn More\r\n    <\/a>\r\n  <\/div>\r\n<\/div><\/div>\n<p>Product | Affected Versions<\/p>\n<p>Video Share VOD &#8211; Turnkey Video <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-55420-reflected-cross-site-scripting-xss-vulnerability-in-foxcms-v1-2-6\/\"  data-wpil-monitor-id=\"84423\">Site Builder Script<\/a> Plugin | Up to and including 2.7.6<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>CVE-2025-7812 is a CSRF <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-50870-incorrect-access-control-vulnerability-in-institute-of-current-students-1-0\/\"  data-wpil-monitor-id=\"79314\">vulnerability that originates from missing or incorrect<\/a> nonce validation within the adminExport() function of the Video Share VOD plugin. This flaw makes it possible for attackers to send forged requests impersonating the administrator.<br \/>\nThe crux of the exploit lies in tricking a site administrator into performing an action such as clicking on a malicious link. Once this happens, unauthenticated attackers can alter settings and execute <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2011-10018-unauthorized-backdoor-in-mybb-1-6-4-allows-remote-code-execution\/\"  data-wpil-monitor-id=\"78793\">remote code<\/a>, especially if the server command execution setting is enabled.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-3539648818\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Below is a conceptual example of how the vulnerability might be exploited, in this case, a malicious HTTP request:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/wp-admin\/admin-ajax.php?action=vs_export HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/json\n{\n&quot;settings&quot;: {\n&quot;server_command&quot;: &quot;enabled&quot;,\n&quot;command_to_execute&quot;: &quot;malicious_command_here&quot;\n}\n}<\/code><\/pre>\n<p>In this example, the attacker is trying to enable the server <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-46122-arbitrary-command-execution-vulnerability-in-commscope-ruckus-unleashed\/\"  data-wpil-monitor-id=\"78911\">command execution<\/a> setting and then execute a malicious command. All of this could be part of a CSRF attack, where the request is sent from the administrator&#8217;s browser without their knowledge.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview In the digital landscape, WordPress plugins are often an easy target for cybercriminals due to their widespread use and occasional security oversights. The latest to join the list of vulnerable plugins is the Video Share VOD &#8211; Turnkey Video Site Builder Script plugin, which has been found to possess a critical Cross-Site Request Forgery [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[90,80],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-71093","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-csrf","attack_vector-rce"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/71093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=71093"}],"version-history":[{"count":8,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/71093\/revisions"}],"predecessor-version":[{"id":80095,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/71093\/revisions\/80095"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=71093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=71093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=71093"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=71093"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=71093"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=71093"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=71093"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=71093"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=71093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}