Skip to main content

CVE-2025-62114

MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2025-12-31 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in marcelotorres Download Media Library download-media-library allows Retrieve Embedded Sensitive Data.This issue affects Download Media Library: from n/a through <= 0.2.1.

AnalysisAI

Download Media Library WordPress plugin through version 0.2.1 exposes sensitive system information to unauthorized users via embedded data retrieval. The vulnerability allows unauthenticated attackers to access restricted system details without proper access controls, though real-world exploitation probability remains low (EPSS 0.04%). No public exploit code or active exploitation has been confirmed.

Technical ContextAI

CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) describes improper access controls that expose internal system data beyond intended security boundaries. In this WordPress plugin context, the vulnerability stems from insufficient authorization checks on functions or endpoints that retrieve or expose embedded metadata, configuration details, or system information. The plugin architecture fails to properly compartmentalize sensitive data, allowing any user (authenticated or unauthenticated) to access information that should remain restricted to administrators or privileged roles. This is a common issue in WordPress plugins when developers expose data through REST endpoints, AJAX handlers, or template functions without verifying user capabilities.

Affected ProductsAI

The vulnerability affects marcelotorres Download Media Library WordPress plugin in all versions from the earliest release through version 0.2.1 inclusive. The plugin is distributed via WordPress.org plugin repository and identified by slug download-media-library. Users running any version up to and including 0.2.1 are affected. Patchstack has confirmed the vulnerability via their security audit at https://patchstack.com/database/Wordpress/Plugin/download-media-library/vulnerability/wordpress-download-media-library-plugin-0-2-1-sensitive-data-exposure-vulnerability.

RemediationAI

Update Download Media Library plugin to version 0.2.2 or later as soon as a patched release becomes available. Until an official patch is released, disable the plugin entirely to prevent unauthorized sensitive data exposure. Ensure only administrators can access plugin functionality by implementing role-based access restrictions at the WordPress level (user capability checks via current_user_can()). Verify the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/download-media-library/vulnerability/wordpress-download-media-library-plugin-0-2-1-sensitive-data-exposure-vulnerability for updates on patch availability and detailed remediation guidance from the vendor.

Share

CVE-2025-62114 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy