Description
Cross-Site Request Forgery (CSRF) vulnerability in videowhisper Broadcast Live Video videowhisper-live-streaming-integration allows Cross Site Request Forgery.This issue affects Broadcast Live Video: from n/a through <= 6.2.4.
Published: 2025-05-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerablility is a CSRF flaw in the Broadcast Live Video plugin that allows an attacker to trick an authenticated WordPress user into sending a request that performs an action on the site without the user's consent. The flaw can lead to unauthorized changes to the live‑stream configuration or other state‑changing operations carried out by the victim’s account, potentially compromising the integrity of streaming services.

Affected Systems

The affected product is the WordPress plugin Broadcast Live Video from videowhisper, with all releases up to and including version 6.2.4 impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1 % suggests a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Though the flaw does not provide remote code execution, based on the description it is inferred that an attacker could exploit it via a crafted web request originating from a malicious page or phishing email. Successful exploitation requires the victim to be authenticated and thus is most impactful against users with elevated capabilities for stream management.

Generated by OpenCVE AI on April 30, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Broadcast Live Video plugin to the latest version that removes the CSRF vulnerability.
  • If an update is not immediately available, add CSRF nonce verification to all state‑changing API endpoints exposed by the plugin.
  • Limit the use of those endpoints to users with the minimum required capabilities, and audit user roles that can trigger live‑stream changes.
  • Deploy a site‑wide security plugin to enforce referer checks and block suspicious cross‑site requests.

Generated by OpenCVE AI on April 30, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16418 Cross-Site Request Forgery (CSRF) vulnerability in videowhisper Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP allows Cross Site Request Forgery. This issue affects Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP: from n/a through 6.2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in videowhisper Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP allows Cross Site Request Forgery. This issue affects Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP: from n/a through 6.2.4. Cross-Site Request Forgery (CSRF) vulnerability in videowhisper Broadcast Live Video videowhisper-live-streaming-integration allows Cross Site Request Forgery.This issue affects Broadcast Live Video: from n/a through <= 6.2.4.
Title WordPress Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP <= 6.2.4 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP plugin <= 6.2.4 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 17 Jul 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Videowhisper videowhisper Live Streaming Integration
CPEs cpe:2.3:a:videowhisper:broadcast_live_video:*:*:*:*:*:wordpress:*:* cpe:2.3:a:videowhisper:videowhisper_live_streaming_integration:*:*:*:*:*:wordpress:*:*
Vendors & Products Videowhisper broadcast Live Video
Videowhisper videowhisper Live Streaming Integration

Thu, 29 May 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Videowhisper
Videowhisper broadcast Live Video
CPEs cpe:2.3:a:videowhisper:broadcast_live_video:*:*:*:*:*:wordpress:*:*
Vendors & Products Videowhisper
Videowhisper broadcast Live Video

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in videowhisper Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP allows Cross Site Request Forgery. This issue affects Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP: from n/a through 6.2.4.
Title WordPress Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP <= 6.2.4 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Videowhisper Videowhisper Live Streaming Integration
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:53.905Z

Reserved: 2025-05-19T14:13:09.841Z

Link: CVE-2025-48255

cve-icon Vulnrichment

Updated: 2025-05-19T15:09:25.700Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T15:15:28.443

Modified: 2026-04-23T15:30:58.567

Link: CVE-2025-48255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:00:14Z

Weaknesses