プラットフォーム
wordpress
コンポーネント
media-download
修正版
1.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the wpmediadownload Media Library File Download plugin. This flaw allows an attacker to potentially trigger unintended actions within a user's account without their knowledge. The vulnerability impacts versions from 0.0.0 up to and including 1.4. A fix is available via plugin update.
The CSRF vulnerability in wpmediadownload allows an attacker to craft malicious requests that appear to originate from a legitimate user. If successful, an attacker could modify media library settings, delete files, or perform other actions with the permissions of the affected user. The blast radius depends on the user's privileges within the WordPress installation; an administrator account compromise would grant the attacker significant control over the website. This vulnerability is similar to other CSRF flaws, where attackers leverage user sessions to execute actions.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been identified at the time of writing. The CVSS score of 4.3 (Medium) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites utilizing the wpmediadownload Media Library File Download plugin, particularly those with user accounts that have administrative privileges, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise on one site could impact others.
• wordpress / composer / npm:
grep -r "wpmediadownload" /var/www/html/wp-content/plugins/
wp plugin list | grep wpmediadownload• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wpmediadownload/ | grep Serverdisclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-62103 is to upgrade the wpmediadownload Media Library File Download plugin to a version containing the fix. If an immediate upgrade is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests containing CSRF tokens. Ensure that all user accounts have strong, unique passwords. After upgrading, verify the fix by attempting to trigger a file download action through a crafted URL; the action should be denied if the vulnerability is resolved.
既知の修正パッチは存在しない。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を実施してください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-62103 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–1.4 of the wpmediadownload Media Library File Download plugin, allowing attackers to perform unauthorized actions.
If you are using wpmediadownload Media Library File Download version 0.0.0 through 1.4, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade the wpmediadownload Media Library File Download plugin to the latest available version, which contains the fix for this CSRF vulnerability.
There is no confirmed active exploitation of CVE-2025-62103 at this time, but the vulnerability is publicly known and could be targeted.
Refer to the official wpmediadownload plugin website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-62103.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。