Plataforma
wordpress
Componente
media-library-downloader
Corregido en
1.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in M.Code Media Library Downloader. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of media files. The vulnerability impacts versions from 0.0.0 through 1.4.0. A fix is expected in a future release.
The CSRF vulnerability in Media Library Downloader allows attackers to leverage authenticated user sessions to execute malicious actions. An attacker could craft a malicious link or embed a hidden form on a website they control. When a user with an active Media Library Downloader session visits this malicious page, the attacker's code will be executed with the user's privileges. This could result in the attacker deleting media files, modifying settings, or performing other actions as if they were the legitimate user. The blast radius is limited to the scope of actions available within the Media Library Downloader plugin, but the impact can be significant for users who rely on the plugin for managing their media assets.
This vulnerability is currently not listed on KEV. The CVSS score of 4.3 (MEDIUM) suggests a moderate probability of exploitation. Public proof-of-concept exploits are not currently known. The vulnerability was publicly disclosed on 2025-12-09.
WordPress websites utilizing the Media Library Downloader plugin, particularly those with shared hosting environments or where user access controls are not strictly enforced, are at increased risk. Users who frequently manage media files through the plugin's interface are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wp_query_vars' /var/www/html/wp-content/plugins/media-library-downloader/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=media_library_downloader_delete_file | grep -i 'referer'disclosure
Estado del Exploit
EPSS
0.02% (5% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-62734 is to upgrade to a patched version of Media Library Downloader as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. One approach is to restrict access to sensitive Media Library Downloader functions using WordPress's built-in capabilities or custom code to require additional authentication steps. Implementing a Content Security Policy (CSP) can also help mitigate CSRF attacks by restricting the sources from which scripts can be executed. Monitor WordPress access logs for suspicious requests targeting Media Library Downloader endpoints.
No se conoce ninguna solución disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y aplique mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-62734 is a Cross-Site Request Forgery vulnerability in M.Code Media Library Downloader, allowing attackers to perform unauthorized actions via crafted requests.
If you are using Media Library Downloader versions 0.0.0 through 1.4.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of Media Library Downloader as soon as it becomes available. Until then, implement temporary workarounds like restricting access and using CSP.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Check the M.Code website or WordPress plugin repository for updates and advisories related to CVE-2025-62734.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.