Platform
wordpress
Component
media-library-downloader
Fixed in
1.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in M.Code Media Library Downloader. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of media files. The vulnerability impacts versions from 0.0.0 through 1.4.0. A fix is expected in a future release.
The CSRF vulnerability in Media Library Downloader allows attackers to leverage authenticated user sessions to execute malicious actions. An attacker could craft a malicious link or embed a hidden form on a website they control. When a user with an active Media Library Downloader session visits this malicious page, the attacker's code will be executed with the user's privileges. This could result in the attacker deleting media files, modifying settings, or performing other actions as if they were the legitimate user. The blast radius is limited to the scope of actions available within the Media Library Downloader plugin, but the impact can be significant for users who rely on the plugin for managing their media assets.
This vulnerability is currently not listed on KEV. The CVSS score of 4.3 (MEDIUM) suggests a moderate probability of exploitation. Public proof-of-concept exploits are not currently known. The vulnerability was publicly disclosed on 2025-12-09.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62734 is to upgrade to a patched version of Media Library Downloader as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. One approach is to restrict access to sensitive Media Library Downloader functions using WordPress's built-in capabilities or custom code to require additional authentication steps. Implementing a Content Security Policy (CSP) can also help mitigate CSRF attacks by restricting the sources from which scripts can be executed. Monitor WordPress access logs for suspicious requests targeting Media Library Downloader endpoints.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62734 is a Cross-Site Request Forgery vulnerability in M.Code Media Library Downloader, allowing attackers to perform unauthorized actions via crafted requests.
If you are using Media Library Downloader versions 0.0.0 through 1.4.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of Media Library Downloader as soon as it becomes available. Until then, implement temporary workarounds like restricting access and using CSP.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Check the M.Code website or WordPress plugin repository for updates and advisories related to CVE-2025-62734.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.