VulnerAlert



WORDPRESS
04-06-2025 09:57

CVE-2025-4580 Vulnerabilidad documentada

4.3 MEDIUM
Tags
#wordpress
#plugin
#change
#admin
#attackers
#csrf
#allow
#attack
Descripción
The File Provider WordPress plugin through 1.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged admin change them via attack
https://wpscan.com/vulnerability/8741353a-2a7f-4dee-b62d-7f5fe435f1a1/

Affects Plugins

Plugin icon
file-provider
No known fix

References

CVE
CVE-2025-4580

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
8741353a-2a7f-4dee-b62d-7f5fe435f1a1

Timeline

Publicly Published
2025-05-14 (about 21 days ago)
Added
2025-05-14 (about 21 days ago)
Last Updated
2025-05-14 (about 21 days ago)

Other

Published
Title
Published
2024-04-11
Title
NextMove Lite < 2.18.2 - Cross-Site Request Forgery
Published
2025-04-04
Title
WP Project Manager <= 2.6.24 - Cross-Site Request Forgery
Published
2023-05-05
Title
Easy Appointments < 3.11.10 - Cross-Site Request Forgery
Published
2023-05-15
Title
WooCommerce Product Recommendations < 2.3.0 - CSRF
Published
2022-07-05
Title
Visualizer: Tables and Charts Manager for WordPress < 3.7.10 - Contributor+ PHAR Deserialization
Link externo

Fuente
https://nvd.nist.gov/vuln/detail/CVE-2025-4580
Icons made by Freepik from www.flaticon.com
Este Proyecto fue cofinanciado por el Consejo Nacional de Ciencia y Tecnología (CONACYT) a través del PROINNOVA 2021/2023
Proyecto realizado por