Platform
wordpress
Component
download-plugins-dashboard
Fixed in
1.9.7
CVE-2025-14399 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Download Plugins and Themes in ZIP plugin for WordPress. This vulnerability allows unauthenticated attackers to archive all plugins and themes on a WordPress site and place them in the wp-content/uploads/ directory. The vulnerability impacts versions 1.0.0 through 1.9.6, and a fix is available in version 1.9.7.
An attacker exploiting this CSRF vulnerability could leverage a malicious link to trick a site administrator into unknowingly triggering the archiving of all plugins and themes. This archived data would then be placed within the wp-content/uploads/ directory, potentially exposing sensitive code or configuration files. While direct code execution is not possible, the exposure of plugin and theme source code could reveal further vulnerabilities or provide insights into the site's architecture, enabling subsequent attacks. The blast radius extends to the entire WordPress site, as all plugins and themes are susceptible to archiving.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low to medium probability of active exploitation. The vulnerability was disclosed publicly on 2025-12-17, and it is recommended to prioritize remediation to prevent potential exploitation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14399 is to immediately upgrade the Download Plugins and Themes in ZIP plugin to version 1.9.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter access controls and user awareness training to minimize the risk of administrators clicking on malicious links. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of defense. Verify the upgrade by attempting a plugin download and confirming that the action requires proper authentication.
Update to version 1.9.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14399 is a Cross-Site Request Forgery (CSRF) vulnerability in the Download Plugins and Themes in ZIP WordPress plugin, allowing attackers to archive plugins/themes via forged requests.
You are affected if you are using the Download Plugins and Themes in ZIP plugin versions 1.0.0 through 1.9.6.
Upgrade the plugin to version 1.9.7 or later to resolve the vulnerability. Consider WAF rules and user training as additional mitigation.
There is no widespread evidence of active exploitation at this time, but it's recommended to apply the patch promptly.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.