{"id":71093,"date":"2025-09-03T23:41:12","date_gmt":"2025-09-03T23:41:12","guid":{"rendered":""},"modified":"2025-10-02T00:14:29","modified_gmt":"2025-10-02T06:14:29","slug":"cve-2025-7812-critical-cross-site-request-forgery-vulnerability-in-video-share-vod-wordpress-plugin","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-7812-critical-cross-site-request-forgery-vulnerability-in-video-share-vod-wordpress-plugin\/","title":{"rendered":"<strong>CVE-2025-7812: Critical Cross-Site Request Forgery Vulnerability in Video Share VOD WordPress Plugin<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>In the digital landscape, WordPress plugins are often an easy target for cybercriminals due to their widespread use and occasional security oversights. The latest to join the list of vulnerable plugins is the Video Share VOD &#8211; Turnkey Video Site Builder Script plugin, which has been found to possess a critical Cross-Site Request Forgery (CSRF) vulnerability. This flaw, identified as CVE-2025-7812, can potentially <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-7734-critical-gitlab-ce-ee-vulnerability-allows-unauthorized-actions-by-attackers\/\"  data-wpil-monitor-id=\"79497\">allow unauthenticated attackers to perform damaging actions<\/a>, provided they can deceive a site administrator into clicking on a malicious link.<br \/>\nThe severity of this issue lies in its <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-54145-firefox-ios-qr-scanner-vulnerability-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"78757\">potential for system<\/a> compromise or data leakage, thereby threatening the security of countless websites powered by WordPress and using this plugin. Given the CVSS Severity Score of 8.8, we understand the urgency to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-58280-object-heap-address-exposure-vulnerability-in-ark-ets\/\"  data-wpil-monitor-id=\"87252\">address this vulnerability<\/a> promptly.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-7812<br \/>\nSeverity: High (CVSS: 8.8)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: Required<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-23311-stack-overflow-vulnerability-in-nvidia-triton-inference-server-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"78806\">Potential system<\/a> compromise or data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-2153922836\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Video Share VOD &#8211; Turnkey Video <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-55420-reflected-cross-site-scripting-xss-vulnerability-in-foxcms-v1-2-6\/\"  data-wpil-monitor-id=\"84423\">Site Builder Script<\/a> Plugin | Up to and including 2.7.6<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>CVE-2025-7812 is a CSRF <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-50870-incorrect-access-control-vulnerability-in-institute-of-current-students-1-0\/\"  data-wpil-monitor-id=\"79314\">vulnerability that originates from missing or incorrect<\/a> nonce validation within the adminExport() function of the Video Share VOD plugin. This flaw makes it possible for attackers to send forged requests impersonating the administrator.<br \/>\nThe crux of the exploit lies in tricking a site administrator into performing an action such as clicking on a malicious link. Once this happens, unauthenticated attackers can alter settings and execute <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2011-10018-unauthorized-backdoor-in-mybb-1-6-4-allows-remote-code-execution\/\"  data-wpil-monitor-id=\"78793\">remote code<\/a>, especially if the server command execution setting is enabled.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-3926307328\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Below is a conceptual example of how the vulnerability might be exploited, in this case, a malicious HTTP request:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/wp-admin\/admin-ajax.php?action=vs_export HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/json\n{\n&quot;settings&quot;: {\n&quot;server_command&quot;: &quot;enabled&quot;,\n&quot;command_to_execute&quot;: &quot;malicious_command_here&quot;\n}\n}<\/code><\/pre>\n<p>In this example, the attacker is trying to enable the server <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-46122-arbitrary-command-execution-vulnerability-in-commscope-ruckus-unleashed\/\"  data-wpil-monitor-id=\"78911\">command execution<\/a> setting and then execute a malicious command. All of this could be part of a CSRF attack, where the request is sent from the administrator&#8217;s browser without their knowledge.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview In the digital landscape, WordPress plugins are often an easy target for cybercriminals due to their widespread use and occasional security oversights. The latest to join the list of vulnerable plugins is the Video Share VOD &#8211; Turnkey Video Site Builder Script plugin, which has been found to possess a critical Cross-Site Request Forgery [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[90,80],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-71093","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-csrf","attack_vector-rce"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/71093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=71093"}],"version-history":[{"count":8,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/71093\/revisions"}],"predecessor-version":[{"id":80095,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/71093\/revisions\/80095"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=71093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=71093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=71093"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=71093"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=71093"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=71093"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=71093"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=71093"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=71093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}