CVE-2025-62734

MEDIUM
2025-12-09 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

Tags

WordPress PHP CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in M.Code Media Library Downloader media-library-downloader allows Cross Site Request Forgery.This issue affects Media Library Downloader: from n/a through <= 1.4.0.

Analysis

Cross-site request forgery (CSRF) in WordPress Media Library Downloader plugin versions up to 1.4.0 allows unauthenticated attackers to perform unauthorized actions on behalf of logged-in site administrators or users via crafted web requests. The vulnerability requires user interaction (UI:R) and has limited scope-affecting only integrity (I:L) with no confidentiality or availability impact. EPSS exploitation probability is very low at 0.02% (5th percentile), indicating minimal real-world exploitation likelihood despite the public disclosure.

Technical Context

This is a classic CSRF vulnerability (CWE-352) in a WordPress plugin-likely missing proper nonce validation or anti-CSRF tokens when processing state-changing requests. The Media Library Downloader plugin (WordPress component for bulk downloading media assets) fails to implement adequate cross-origin request protections, allowing attackers to craft HTML/JavaScript payloads that trick authenticated users into unwittingly triggering plugin functionality. The vulnerability affects the plugin's core media handling endpoints. Attack surface is limited to WordPress installations with this plugin activated and users who are simultaneously logged into the WordPress admin panel.

Affected Products

M.Code Media Library Downloader WordPress plugin version 1.4.0 and all earlier versions. The plugin is available on the WordPress.org plugin repository and is tracked under this CPE context as a WordPress plugin component. Users running any version of the plugin up to and including 1.4.0 are affected.

Remediation

Update Media Library Downloader to version 1.4.1 or later, which includes proper CSRF token validation and nonce checks. Patch is available via the WordPress plugin repository automatic update mechanism or manual download from https://patchstack.com/database/Wordpress/Plugin/media-library-downloader/. As an interim workaround on sites with low user trust or shared admin access, consider restricting media library modification permissions to a minimal set of trusted administrators and educating users not to click unfamiliar links while logged into WordPress admin. Verify the plugin update completes successfully and test media download functionality post-patch.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-62734 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy