EUVD-2025-28370

| CVE-2025-5034 HIGH
2025-06-21 [email protected]
WordPress XSS PHP Wp File Download
7.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Analysis Updated
Apr 16, 2026 - 06:36 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
patch_available
Apr 16, 2026 - 05:29 EUVD
6.2.6
Analysis Generated
Mar 15, 2026 - 21:35 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 21:35 euvd
EUVD-2025-28370
PoC Detected
Jul 02, 2025 - 19:00 vuln.today
Public exploit code
CVE Published
Jun 21, 2025 - 06:15 nvd
HIGH 7.1

DescriptionNVD

The wp-file-download WordPress plugin before 6.2.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

AnalysisAI

CVE-2025-5034 is a Reflected Cross-Site Scripting (XSS) vulnerability in the wp-file-download WordPress plugin versions before 6.2.6, caused by failure to sanitize and escape user-supplied parameters before output. Attackers can craft malicious URLs containing JavaScript payloads that execute in victims' browsers when clicked, potentially stealing session cookies, hijacking accounts, or performing unauthorized actions. The vulnerability requires user interaction (clicking a link) but affects all users without authentication requirements, making it a moderate-to-significant risk for WordPress installations using this plugin.

Technical ContextAI

The wp-file-download plugin is a WordPress content delivery and file management extension that handles file download requests. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic reflected XSS flaw where user-controlled input from URL parameters or form data is directly echoed into HTML responses without proper sanitization (via WordPress functions like sanitize_text_field(), sanitize_url()) or escaping (via esc_html(), esc_url(), esc_attr(), or esc_js()). The affected CPE is likely 'cpe:2.3:a:wp-file-download:wp-file-download:*:*:*:*:*:wordpress:*:*' with versions <6.2.6. The plugin likely processes file download requests through a parameter (possibly 'file', 'download', or 'url') that is rendered in the page without proper output encoding, allowing arbitrary HTML/JavaScript injection.

RemediationAI

Immediate Patch: Update wp-file-download plugin to version 6.2.6 or later immediately; method: WordPress Admin Dashboard > Plugins > Available Updates, or via WP-CLI: 'wp plugin update wp-file-download'; priority: CRITICAL Temporary Mitigation (if immediate patching is delayed): Disable the wp-file-download plugin temporarily in WordPress; method: WordPress Admin Dashboard > Plugins > Deactivate, or WP-CLI: 'wp plugin deactivate wp-file-download'; priority: HIGH Web Application Firewall (WAF): Implement WAF rules to detect and block XSS payloads in URL parameters targeting the plugin's vulnerable endpoints; method: Configure Wordfence, Sucuri, or ModSecurity rules to sanitize plugin requests; priority: MEDIUM Input Validation Hardening (for developers using the plugin): Review any custom code integrating wp-file-download and apply WordPress sanitization/escaping functions; method: Use sanitize_text_field(), esc_url(), esc_html() on all user inputs before rendering; priority: MEDIUM Monitoring: Monitor web server and WordPress logs for exploitation attempts (unusual URL parameters, script tags in queries); method: Review access logs for suspicious file download requests with encoded script payloads; priority: LOW

Share

EUVD-2025-28370 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy