CVE-2025-62103

Vulnerability

Overview

CVE-2025-62103 is a Cross-Site Request Forgery (CSRF) vulnerability found in the WordPress plugin Media Library File Download (media-download), affecting versions through 1.4. The plugin fails to implement proper CSRF protection mechanisms, such as nonces or token validation, on its administrative actions. This oversight enables an attacker to craft malicious requests that can be executed on behalf of a logged-in administrator or other privileged user without their consent [1].

Attack

Vector and Requirements

Exploitation of this CSRF vulnerability requires user interaction. An attacker must trick a privileged user (e.g., a site administrator) into performing an action—such as clicking a malicious link, visiting a crafted page, or submitting a deceptive form—while that user has an active session in the WordPress admin area. The attacker does not need any special privileges themselves, nor do they need to authenticate to the target site. The attack is initiated by inducing the victim to send a forged HTTP request to the vulnerable plugin endpoint [1].

Impact

Successful exploitation could allow an attacker to force the victim's browser to execute unintended actions under the victim's current authentication, such as changing plugin settings, deleting files, or performing other administrative operations within the scope of the Media Library File Download plugin. The CVSS score is 4.3 (Medium), reflecting the need for user interaction and the limited scope of impact to a single plugin's functionality [1].

Mitigation

As of the publication date, the vendor has not released a patched version. Users are strongly advised to update the plugin immediately if a fix becomes available. If unable to update, site administrators should consider temporarily disabling the plugin and consult with their hosting provider or web developer for additional security measures, such as implementing request validation or Web Application Firewall (WAF) rules [1].