Description
The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport() function. This makes it possible for unauthenticated attackers to update settings and execute remote code when the Server command execution setting is enabled via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-08-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via CSRF
Action: Immediate Patch
AI Analysis

Impact

The Video Share VOD – Turnkey Video Site Builder Script allows unauthenticated attackers to perform Cross‑Site Request Forgery against the adminExport function because nonce validation is absent or incorrect. A forged request can modify plugin settings and, if the Server command execution option is enabled, trigger remote command execution on the host. This vulnerability is classified as CWE‑352 and can lead to full compromise of the affected WordPress site.

Affected Systems

The affected product is the Video Share VOD – Turnkey Video Site Builder Script for WordPress, made by videowhisper. All releases up to and including version 2.7.6 are vulnerable.

Risk and Exploitability

The CVSS score of 8.8 categorizes this flaw as high severity, while the EPSS score of less than 1% indicates a low probability of immediate exploitation in the wild. Because the flaw relies on a CSRF attack, an attacker must trick a legitimate administrator into clicking a malicious link or otherwise triggering the forged request. The vulnerability is not currently listed in CISA’s KEV catalog. In practice, the risk is elevated when the site allows the Server command execution setting, as it enables arbitrary code execution once the CSRF succeeds.

Generated by OpenCVE AI on April 20, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest version that implements proper nonce validation for adminExport, removing the CSRF flaw.
  • If an update is unavailable, disable the Server command execution setting in the plugin’s configuration so that a CSRF-induced setting change cannot lead to code execution.
  • Ensure that the site’s WordPress core and all other plugins are kept current, and consider deploying a WAF or CSRF protection plugin that enforces nonce checks on admin pages.

Generated by OpenCVE AI on April 20, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28783 The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport() function. This makes it possible for unauthenticated attackers to update settings and execute remote code when the Server command execution setting is enabled via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Thu, 28 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport() function. This makes it possible for unauthenticated attackers to update settings and execute remote code when the Server command execution setting is enabled via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Video Share VOD – Turnkey Video Site Builder Script <= 2.7.6 - Cross-Site Request Forgery to Command Injection
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:08.183Z

Reserved: 2025-07-18T15:29:07.315Z

Link: CVE-2025-7812

cve-icon Vulnrichment

Updated: 2025-08-28T14:20:03.860Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T03:15:38.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses