Platform
wordpress
Component
live-shopping-video-streams
Fixed in
2.2.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in Channelize.io’s Live Shopping & Shoppable Videos For WooCommerce plugin. This flaw allows an attacker to perform unauthorized actions on a user’s account if they are tricked into clicking a malicious link. The vulnerability affects versions from 0.0.0 up to and including 2.2.0. A patch is available in a later version of the plugin.
The CSRF vulnerability allows an attacker to execute actions on behalf of an authenticated user without their knowledge or consent. This could include modifying product listings, changing settings, or even initiating live shopping sessions. An attacker could craft a malicious link or embed it in a website or email, and when a user clicks it, the attacker's code will be executed with the user's privileges. The potential impact is significant, as it could lead to unauthorized modifications to the WooCommerce store and potentially compromise customer data or disrupt operations. This is similar to other CSRF vulnerabilities where user actions are performed without explicit consent.
This vulnerability was publicly disclosed on 2025-12-31. There are currently no known public proof-of-concept exploits available. The CVSS score of 4.3 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a version of the Live Shopping & Shoppable Videos For WooCommerce plugin that contains the fix. If upgrading immediately is not possible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, implement strict input validation and output encoding to prevent malicious scripts from being injected. Monitor web application firewalls (WAFs) for suspicious requests originating from untrusted sources. After upgrading, verify the fix by attempting to trigger the CSRF vulnerability with a test account and confirming that the action is blocked.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62080 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Channelize.io’s Live Shopping & Shoppable Videos For WooCommerce plugin, allowing unauthorized actions if a user clicks a malicious link.
You are affected if you are using Channelize.io Live Shopping & Shoppable Videos For WooCommerce versions 0.0.0 through 2.2.0. Upgrade to a patched version to resolve the vulnerability.
The recommended fix is to upgrade to a version of the plugin that includes the security patch. Implement CSP and WAF rules as a temporary workaround if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and should be addressed promptly.
Refer to the Channelize.io website and their WordPress plugin repository page for the latest security advisories and updates related to CVE-2025-62080.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.