Video Share VOD WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress, affecting all versions through 2.7.6. The vulnerability arises from inadequate nonce validation in the adminExport() function, allowing unauthenticated attackers to manipulate settings and execute remote code, particularly when the Server command execution option is enabled. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in plugin settings and the execution of arbitrary code on the server, especially if the executed code involves malicious payloads or actions.

Reproduction

To reproduce this vulnerability, an attacker must craft a request that exploits the missing nonce validation in the adminExport() function. This can be done by sending a CSRF attack that tricks an administrator into clicking a link or performing an action that triggers the vulnerable function without proper authorization.

Remediation

Users are advised to update the Video Share VOD WordPress plugin to version 2.7.7 or later, where this vulnerability has been patched.