{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7812", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-18T15:29:07.315Z", "datePublished": "2025-08-28T01:46:29.920Z", "dateUpdated": "2026-04-08T17:18:08.183Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:08.183Z"}, "affected": [{"vendor": "videowhisper", "product": "Video Share VOD \u2013 Turnkey Video Site Builder Script", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.7.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Video Share VOD \u2013 Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport() function. This makes it possible for unauthenticated attackers to update settings and execute remote code when the Server command execution setting is enabled via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Video Share VOD \u2013 Turnkey Video Site Builder Script <= 2.7.6 - Cross-Site Request Forgery to Command Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b9e499c4-e683-4587-b0ab-7f4ecde94e41?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/video-share-vod/trunk/video-share-vod.php#L3360"}, {"url": "https://plugins.trac.wordpress.org/browser/video-share-vod/trunk/inc/options.php#L728"}, {"url": "https://plugins.trac.wordpress.org/changeset/3348480/video-share-vod/trunk/video-share-vod.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gai Tanaka"}], "timeline": [{"time": "2025-07-18T15:44:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-27T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-28T14:19:58.849304Z", "id": "CVE-2025-7812", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-28T14:20:09.272Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7812", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-28T14:19:58.849304Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-28T14:20:03.860Z"}}], "cna": {"title": "Video Share VOD \u2013 Turnkey Video Site Builder Script <= 2.7.6 - Cross-Site Request Forgery to Command Injection", "credits": [{"lang": "en", "type": "finder", "value": "Gai Tanaka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "videowhisper", "product": "Video Share VOD \u2013 Turnkey Video Site Builder Script", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.7.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-18T15:44:16.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-27T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b9e499c4-e683-4587-b0ab-7f4ecde94e41?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/video-share-vod/trunk/video-share-vod.php#L3360"}, {"url": "https://plugins.trac.wordpress.org/browser/video-share-vod/trunk/inc/options.php#L728"}, {"url": "https://plugins.trac.wordpress.org/changeset/3348480/video-share-vod/trunk/video-share-vod.php"}], "descriptions": [{"lang": "en", "value": "The Video Share VOD \u2013 Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport() function. This makes it possible for unauthenticated attackers to update settings and execute remote code when the Server command execution setting is enabled via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:08.183Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7812", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:08.183Z", "dateReserved": "2025-07-18T15:29:07.315Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-28T01:46:29.920Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Video Share VOD \u2013 Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport() function. This makes it possible for unauthenticated attackers to update settings and execute remote code when the Server command execution setting is enabled via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-7812", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-28T03:15:38.140", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/video-share-vod/trunk/inc/options.php#L728"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/video-share-vod/trunk/video-share-vod.php#L3360"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3348480/video-share-vod/trunk/video-share-vod.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b9e499c4-e683-4587-b0ab-7f4ecde94e41?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:47:33.313143+00:00", "value": {"mitigation_remediation": ["Update the plugin to the latest version that implements proper nonce validation for adminExport, removing the CSRF flaw.", "If an update is unavailable, disable the Server command execution setting in the plugin\u2019s configuration so that a CSRF-induced setting change cannot lead to code execution.", "Ensure that the site\u2019s WordPress core and all other plugins are kept current, and consider deploying a WAF or CSRF protection plugin that enforces nonce checks on admin pages."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via CSRF"}, "threat_synthesis": {"affected_systems": "The affected product is the Video Share VOD \u2013 Turnkey Video Site Builder Script for WordPress, made by videowhisper. All releases up to and including version 2.7.6 are vulnerable.", "description_and_impact": "The Video Share VOD \u2013 Turnkey Video Site Builder Script allows unauthenticated attackers to perform Cross\u2011Site Request Forgery against the adminExport function because nonce validation is absent or incorrect. A forged request can modify plugin settings and, if the Server command execution option is enabled, trigger remote command execution on the host. This vulnerability is classified as CWE\u2011352 and can lead to full compromise of the affected WordPress site.", "risk_and_exploitability": "The CVSS score of 8.8 categorizes this flaw as high severity, while the EPSS score of less than 1% indicates a low probability of immediate exploitation in the wild. Because the flaw relies on a CSRF attack, an attacker must trick a legitimate administrator into clicking a malicious link or otherwise triggering the forged request. The vulnerability is not currently listed in CISA\u2019s KEV catalog. In practice, the risk is elevated when the site allows the Server command execution setting, as it enables arbitrary code execution once the CSRF succeeds."}}}}, "created": "2026-04-20T20:00:10.505779+00:00", "updated": "2026-04-20T20:00:10.505798+00:00", "vendors": []}