CVE Alert: CVE-2025-7812 – videowhisper – Video Share VOD – Turnkey Video Site Builder Script
CVE-2025-7812
The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport() function. This makes it possible for unauthenticated attackers to update settings and execute remote code when the Server command execution setting is enabled via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
https://plugins.trac.wordpress.org/browser/video-share-vod/trunk/video-share-vod.php#L3360
https://plugins.trac.wordpress.org/browser/video-share-vod/trunk/inc/options.php#L728
https://plugins.trac.wordpress.org/changeset/3348480/video-share-vod/trunk/video-share-vod.php
AI Summary Analysis
Risk verdict
High risk: CSRF to command injection could allow remote code execution on servers where the dangerous setting is enabled, triggered by a forged admin action.
Why this matters
For sites running WordPress with this plugin, an attacker can exploit weak CSRF protection to force an administrator to perform an action that may execute commands on the server. The impact includes potential site takeovers, defacement, data exposure, or malware deployment, particularly where the Server command execution option is enabled.
Most likely attack path
Attackers can reach targets over the network without initial privileges but require user interaction (admin action) to succeed. The offending flow is triggered by a forged request due to missing or broken nonce validation, and the full impact hinges on the Server command execution setting being enabled. If enabled, a successful CSRF can escalate to remote code execution within the WP hosting environment.
Who is most exposed
WordPress sites using Video Share VOD – Turnkey Video Site Builder Script, especially on shared hosting or small business deployments where admin access is exposed to the internet and plugin updates are not promptly applied.
Detection ideas
- Unusual POST requests to the adminExport endpoint without valid nonces or from unfamiliar IPs.
- Admin actions triggered following crafted links or emails, with anomalous settings changes.
- Logs showing attempts to execute server commands or PHP function calls after a settings export action.
- Missing nonce validation indicators in plugin code paths during adminExport.
Mitigation and prioritisation
- Patch immediately: update to the fixed version and verify plugin integrity.
- Disable or remove the Server command execution option if not essential; apply least-privilege settings.
- Ensure nonce validation is correctly implemented for admin actions; enforce WordPress core CSRF protections.
- Implement MFA for administrators; restrict admin access by IP where feasible; monitor for anomalous admin activity.
- Change-management: test updates in staging before production; schedule rapid patching if KEV or EPSS signals indicate active exploitation. If KEV true or EPSS ≥ 0.5, treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
