平台
wordpress
组件
download-plugins-dashboard
修复版本
1.9.7
CVE-2025-14399 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Download Plugins and Themes in ZIP plugin for WordPress. This vulnerability allows unauthenticated attackers to archive all plugins and themes on a WordPress site and place them in the wp-content/uploads/ directory. The vulnerability impacts versions 1.0.0 through 1.9.6, and a fix is available in version 1.9.7.
An attacker exploiting this CSRF vulnerability could leverage a malicious link to trick a site administrator into unknowingly triggering the archiving of all plugins and themes. This archived data would then be placed within the wp-content/uploads/ directory, potentially exposing sensitive code or configuration files. While direct code execution is not possible, the exposure of plugin and theme source code could reveal further vulnerabilities or provide insights into the site's architecture, enabling subsequent attacks. The blast radius extends to the entire WordPress site, as all plugins and themes are susceptible to archiving.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low to medium probability of active exploitation. The vulnerability was disclosed publicly on 2025-12-17, and it is recommended to prioritize remediation to prevent potential exploitation.
WordPress sites utilizing the Download Plugins and Themes in ZIP plugin, particularly those with shared hosting environments or lacking robust user access controls, are at increased risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'download_plugin_bulk|download_theme_bulk' /var/www/html/wp-content/plugins/download-plugins-and-themes-in-zip/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'download-plugins-and-themes-in-zip'• wordpress / composer / npm:
wp plugin update --alldisclosure
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-14399 is to immediately upgrade the Download Plugins and Themes in ZIP plugin to version 1.9.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter access controls and user awareness training to minimize the risk of administrators clicking on malicious links. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of defense. Verify the upgrade by attempting a plugin download and confirming that the action requires proper authentication.
更新到 1.9.7 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-14399 is a Cross-Site Request Forgery (CSRF) vulnerability in the Download Plugins and Themes in ZIP WordPress plugin, allowing attackers to archive plugins/themes via forged requests.
You are affected if you are using the Download Plugins and Themes in ZIP plugin versions 1.0.0 through 1.9.6.
Upgrade the plugin to version 1.9.7 or later to resolve the vulnerability. Consider WAF rules and user training as additional mitigation.
There is no widespread evidence of active exploitation at this time, but it's recommended to apply the patch promptly.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。