CVE-2025-55758

Vulnerability

Overview CVE-2025-55758 describes multiple cross-site request forgery (CSRF) vulnerabilities in the JDownloads component for Joomla, affecting versions 1.0.0 through 4.0.47. The component fails to properly validate and verify the origin of requests, making it possible for attackers to craft malicious requests that are submitted without the victim's consent.

Exploitation

An attacker can exploit these vulnerabilities by luring an authenticated administrator into visiting a malicious page or clicking a crafted link. The attacker does not need to be authenticated; they only need to trick a user with administrative privileges on the Joomla site where JDownloads is installed. The CSRF attack can be performed cross-site, as the requests are sent from the victim's browser.

Impact

Successful exploitation allows the attacker to perform unauthorized actions within the JDownloads component, such as changing configuration settings, deleting downloads, or altering categories, depending on the privileges of the victim administrator.

Mitigation

Users are advised to upgrade to the latest version of JDownloads (4.1.4 as of May 2026) which includes general stability and security improvements. While the release notes do not specifically mention CSRF fixes, upgrading to the latest version is recommended to protect against known vulnerabilities [1].