Description
Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder live-sports-streamthunder allows Cross Site Request Forgery.This issue affects Live Sports Streamthunder: from n/a through <= 2.1.
Published: 2025-06-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Live Sports Streamthunder plugin for WordPress contains a flaw where a missing anti‑CSRF token verification allows an attacker to force an authenticated visitor to submit a request that performs actions on the site without the visitor’s consent. This weakness falls under CWE‑352 and can lead to unauthorized changes to plugin settings or content, compromising the integrity of the affected WordPress installation.

Affected Systems

The vulnerability affects the marcusjansen Live Sports Streamthunder plugin from its earliest available release up through version 2.1. Any WordPress site that has this plugin installed and has not been updated beyond 2.1 is susceptible.

Risk and Exploitability

The CVSS score for this issue is 4.3, indicating moderate severity. The EPSS score of less than 1% suggests a low probability of current exploitation, and the flaw is not listed in the CISA KEV catalog. Although the CVE description does not detail an explicit exploitation path, it is inferred from the CSRF nature of the flaw that an attacker would likely need to trick a logged‑in user into visiting a malicious URL that submits a forged request to the plugin’s endpoint.

Generated by OpenCVE AI on May 1, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Live Sports Streamthunder to the latest available release (≥2.2) from the WordPress plugin repository or the vendor’s website to restore the anti‑CSRF check.
  • If an immediate upgrade is not feasible, deactivate the plugin or limit administrative access to users with the highest privileges using a role‑based access control plugin to prevent vulnerable actions from being executed.
  • Configure a web application firewall or server‑level rule to validate or block requests targeting the plugin’s endpoints, ensuring that only authenticated sessions with a valid CSRF token can proceed.

Generated by OpenCVE AI on May 1, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28335 Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder allows Cross Site Request Forgery. This issue affects Live Sports Streamthunder: from n/a through 2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder allows Cross Site Request Forgery. This issue affects Live Sports Streamthunder: from n/a through 2.1. Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder live-sports-streamthunder allows Cross Site Request Forgery.This issue affects Live Sports Streamthunder: from n/a through <= 2.1.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 20 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder allows Cross Site Request Forgery. This issue affects Live Sports Streamthunder: from n/a through 2.1.
Title WordPress Live Sports Streamthunder plugin <= 2.1 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:14.091Z

Reserved: 2025-06-11T16:07:41.545Z

Link: CVE-2025-49967

cve-icon Vulnrichment

Updated: 2025-06-20T16:25:02.926Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:21.583

Modified: 2026-04-23T15:31:53.293

Link: CVE-2025-49967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:30:11Z

Weaknesses