平台
wordpress
组件
media-library-downloader
修复版本
1.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in M.Code Media Library Downloader. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of media files. The vulnerability impacts versions from 0.0.0 through 1.4.0. A fix is expected in a future release.
The CSRF vulnerability in Media Library Downloader allows attackers to leverage authenticated user sessions to execute malicious actions. An attacker could craft a malicious link or embed a hidden form on a website they control. When a user with an active Media Library Downloader session visits this malicious page, the attacker's code will be executed with the user's privileges. This could result in the attacker deleting media files, modifying settings, or performing other actions as if they were the legitimate user. The blast radius is limited to the scope of actions available within the Media Library Downloader plugin, but the impact can be significant for users who rely on the plugin for managing their media assets.
This vulnerability is currently not listed on KEV. The CVSS score of 4.3 (MEDIUM) suggests a moderate probability of exploitation. Public proof-of-concept exploits are not currently known. The vulnerability was publicly disclosed on 2025-12-09.
WordPress websites utilizing the Media Library Downloader plugin, particularly those with shared hosting environments or where user access controls are not strictly enforced, are at increased risk. Users who frequently manage media files through the plugin's interface are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wp_query_vars' /var/www/html/wp-content/plugins/media-library-downloader/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=media_library_downloader_delete_file | grep -i 'referer'disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-62734 is to upgrade to a patched version of Media Library Downloader as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. One approach is to restrict access to sensitive Media Library Downloader functions using WordPress's built-in capabilities or custom code to require additional authentication steps. Implementing a Content Security Policy (CSP) can also help mitigate CSRF attacks by restricting the sources from which scripts can be executed. Monitor WordPress access logs for suspicious requests targeting Media Library Downloader endpoints.
目前没有已知的补丁。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-62734 is a Cross-Site Request Forgery vulnerability in M.Code Media Library Downloader, allowing attackers to perform unauthorized actions via crafted requests.
If you are using Media Library Downloader versions 0.0.0 through 1.4.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of Media Library Downloader as soon as it becomes available. Until then, implement temporary workarounds like restricting access and using CSP.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Check the M.Code website or WordPress plugin repository for updates and advisories related to CVE-2025-62734.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。