平台
wordpress
组件
media-download
修复版本
1.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the wpmediadownload Media Library File Download plugin. This flaw allows an attacker to potentially trigger unintended actions within a user's account without their knowledge. The vulnerability impacts versions from 0.0.0 up to and including 1.4. A fix is available via plugin update.
The CSRF vulnerability in wpmediadownload allows an attacker to craft malicious requests that appear to originate from a legitimate user. If successful, an attacker could modify media library settings, delete files, or perform other actions with the permissions of the affected user. The blast radius depends on the user's privileges within the WordPress installation; an administrator account compromise would grant the attacker significant control over the website. This vulnerability is similar to other CSRF flaws, where attackers leverage user sessions to execute actions.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been identified at the time of writing. The CVSS score of 4.3 (Medium) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites utilizing the wpmediadownload Media Library File Download plugin, particularly those with user accounts that have administrative privileges, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise on one site could impact others.
• wordpress / composer / npm:
grep -r "wpmediadownload" /var/www/html/wp-content/plugins/
wp plugin list | grep wpmediadownload• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wpmediadownload/ | grep Serverdisclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-62103 is to upgrade the wpmediadownload Media Library File Download plugin to a version containing the fix. If an immediate upgrade is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests containing CSRF tokens. Ensure that all user accounts have strong, unique passwords. After upgrading, verify the fix by attempting to trigger a file download action through a crafted URL; the action should be denied if the vulnerability is resolved.
目前没有已知的补丁。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-62103 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–1.4 of the wpmediadownload Media Library File Download plugin, allowing attackers to perform unauthorized actions.
If you are using wpmediadownload Media Library File Download version 0.0.0 through 1.4, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade the wpmediadownload Media Library File Download plugin to the latest available version, which contains the fix for this CSRF vulnerability.
There is no confirmed active exploitation of CVE-2025-62103 at this time, but the vulnerability is publicly known and could be targeted.
Refer to the official wpmediadownload plugin website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-62103.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。