The vulnerability stems from a missing authorization check in the Live Shopping & Shoppable Videos For WooCommerce plugin. An attacker can send crafted requests to endpoints that bypass access controls, enabling them to perform privileged actions such as viewing, modifying, or deleting shopping video content and related configuration. Because the plugin processes these requests without verifying the caller’s role, the flaw can lead to unauthorized data exposure or manipulation.

The issue affects the WordPress plugin developed by Channelize.io Team, named Live Shopping & Shoppable Videos For WooCommerce, on all released versions up to and including 2.2.0. No specific version numbers are listed beyond the maximum 2.2.0, and the earliest affected version is not defined (n/a).

The CVSS score for this vulnerability is 5.3, indicating medium severity, while the EPSS score is in the sub‑1% range, suggesting a low probability of exposure. The flaw is not listed in the CISA KEV catalog. The missing authorization check means an attacker can exploit the issue by sending requests directly to the plugin’s endpoints, most likely via the web interface or API. Since the plugin runs within WordPress, the attack vector is inferred to be remote, and exploitation requires that the attacker reaches the site and can interact with plugin URLs; no elevated privileges are required beyond the ability to send requests.