Platform
wordpress
Component
media-library-downloader
Opgelost in
1.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in M.Code Media Library Downloader. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of media files. The vulnerability impacts versions from 0.0.0 through 1.4.0. A fix is expected in a future release.
The CSRF vulnerability in Media Library Downloader allows attackers to leverage authenticated user sessions to execute malicious actions. An attacker could craft a malicious link or embed a hidden form on a website they control. When a user with an active Media Library Downloader session visits this malicious page, the attacker's code will be executed with the user's privileges. This could result in the attacker deleting media files, modifying settings, or performing other actions as if they were the legitimate user. The blast radius is limited to the scope of actions available within the Media Library Downloader plugin, but the impact can be significant for users who rely on the plugin for managing their media assets.
This vulnerability is currently not listed on KEV. The CVSS score of 4.3 (MEDIUM) suggests a moderate probability of exploitation. Public proof-of-concept exploits are not currently known. The vulnerability was publicly disclosed on 2025-12-09.
WordPress websites utilizing the Media Library Downloader plugin, particularly those with shared hosting environments or where user access controls are not strictly enforced, are at increased risk. Users who frequently manage media files through the plugin's interface are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wp_query_vars' /var/www/html/wp-content/plugins/media-library-downloader/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=media_library_downloader_delete_file | grep -i 'referer'disclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-62734 is to upgrade to a patched version of Media Library Downloader as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. One approach is to restrict access to sensitive Media Library Downloader functions using WordPress's built-in capabilities or custom code to require additional authentication steps. Implementing a Content Security Policy (CSP) can also help mitigate CSRF attacks by restricting the sources from which scripts can be executed. Monitor WordPress access logs for suspicious requests targeting Media Library Downloader endpoints.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-62734 is a Cross-Site Request Forgery vulnerability in M.Code Media Library Downloader, allowing attackers to perform unauthorized actions via crafted requests.
If you are using Media Library Downloader versions 0.0.0 through 1.4.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of Media Library Downloader as soon as it becomes available. Until then, implement temporary workarounds like restricting access and using CSP.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Check the M.Code website or WordPress plugin repository for updates and advisories related to CVE-2025-62734.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.