Plateforme
wordpress
Composant
media-download
Corrigé dans
1.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the wpmediadownload Media Library File Download plugin. This flaw allows an attacker to potentially trigger unintended actions within a user's account without their knowledge. The vulnerability impacts versions from 0.0.0 up to and including 1.4. A fix is available via plugin update.
The CSRF vulnerability in wpmediadownload allows an attacker to craft malicious requests that appear to originate from a legitimate user. If successful, an attacker could modify media library settings, delete files, or perform other actions with the permissions of the affected user. The blast radius depends on the user's privileges within the WordPress installation; an administrator account compromise would grant the attacker significant control over the website. This vulnerability is similar to other CSRF flaws, where attackers leverage user sessions to execute actions.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been identified at the time of writing. The CVSS score of 4.3 (Medium) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites utilizing the wpmediadownload Media Library File Download plugin, particularly those with user accounts that have administrative privileges, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise on one site could impact others.
• wordpress / composer / npm:
grep -r "wpmediadownload" /var/www/html/wp-content/plugins/
wp plugin list | grep wpmediadownload• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wpmediadownload/ | grep Serverdisclosure
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-62103 is to upgrade the wpmediadownload Media Library File Download plugin to a version containing the fix. If an immediate upgrade is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests containing CSRF tokens. Ensure that all user accounts have strong, unique passwords. After upgrading, verify the fix by attempting to trigger a file download action through a crafted URL; the action should be denied if the vulnerability is resolved.
Aucun correctif connu n'est disponible. Veuillez examiner en profondeur les détails de la vulnérabilité et mettre en œuvre des mesures d'atténuation en fonction de la tolérance au risque de votre organisation. Il peut être préférable de désinstaller le logiciel affecté et de trouver un remplacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-62103 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–1.4 of the wpmediadownload Media Library File Download plugin, allowing attackers to perform unauthorized actions.
If you are using wpmediadownload Media Library File Download version 0.0.0 through 1.4, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade the wpmediadownload Media Library File Download plugin to the latest available version, which contains the fix for this CSRF vulnerability.
There is no confirmed active exploitation of CVE-2025-62103 at this time, but the vulnerability is publicly known and could be targeted.
Refer to the official wpmediadownload plugin website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-62103.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.