Skip to content
Medium Published: Dec 17, 2025

CVE-2025-14399

4.3 CVSS Score Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Export CVE-2025-14399 Data:
Share:
Link copied!

Description

The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.6. This is due to missing or incorrect nonce validation on the download_plugin_bulk and download_theme_bulk functions. This makes it possible for unauthenticated attackers to archive all the sites plugins and themes and place them in the `wp-content/uploads/` directory via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Details

Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Weaknesses (CWE)

  • CWE-352

References & External Links

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

Related Vulnerabilities

CVE-2002-2426 CVSS 0 Same weakness: CWE-352 CVE-2004-1967 CVSS 8.8 Same weakness: CWE-352 CVE-2004-1703 CVSS 8.8 Same weakness: CWE-352 CVE-2004-1842 CVSS 8.8 Same weakness: CWE-352 CVE-2004-1995 CVSS 6.5 Same weakness: CWE-352

CVE History Timeline

Dec 17, 2025 08:15 New CVE Received
← Back to CVE Tracker