{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14399", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-10T01:12:16.135Z", "datePublished": "2025-12-17T07:21:02.249Z", "dateUpdated": "2026-04-08T17:04:22.407Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:22.407Z"}, "affected": [{"vendor": "wpcodefactory", "product": "Download Plugins and Themes in ZIP from Dashboard", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.6. This is due to missing or incorrect nonce validation on the download_plugin_bulk and download_theme_bulk functions. This makes it possible for unauthenticated attackers to archive all the sites plugins and themes and place them in the `wp-content/uploads/` directory via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Download Plugins and Themes from Dashboard <= 1.9.6 - Cross-Site Request Forgery to Bulk Plugin/Theme Archival", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/845b6bcf-004b-4b92-88d7-3d331fa58c11?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3417484/download-plugins-dashboard"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lorenzo Franchini"}], "timeline": [{"time": "2025-12-10T01:28:52.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-16T19:02:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T21:43:59.709258Z", "id": "CVE-2025-14399", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:44:12.097Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14399", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T21:43:59.709258Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:44:06.524Z"}}], "cna": {"title": "Download Plugins and Themes from Dashboard <= 1.9.6 - Cross-Site Request Forgery to Bulk Plugin/Theme Archival", "credits": [{"lang": "en", "type": "finder", "value": "Lorenzo Franchini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpcodefactory", "product": "Download Plugins and Themes in ZIP from Dashboard", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.9.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-10T01:28:52.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-16T19:02:52.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/845b6bcf-004b-4b92-88d7-3d331fa58c11?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3417484/download-plugins-dashboard"}], "descriptions": [{"lang": "en", "value": "The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.6. This is due to missing or incorrect nonce validation on the download_plugin_bulk and download_theme_bulk functions. This makes it possible for unauthenticated attackers to archive all the sites plugins and themes and place them in the `wp-content/uploads/` directory via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-17T07:21:02.249Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14399", "state": "PUBLISHED", "dateUpdated": "2025-12-17T21:44:12.097Z", "dateReserved": "2025-12-10T01:12:16.135Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-17T07:21:02.249Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.6. This is due to missing or incorrect nonce validation on the download_plugin_bulk and download_theme_bulk functions. This makes it possible for unauthenticated attackers to archive all the sites plugins and themes and place them in the `wp-content/uploads/` directory via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14399", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-17T08:15:43.000", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3417484/download-plugins-dashboard"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/845b6bcf-004b-4b92-88d7-3d331fa58c11?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:02:15.041359+00:00", "value": {"mitigation_remediation": ["Update the Download Plugins and Themes in ZIP from Dashboard plugin to a version newer than 1.9.6 so that nonce validation is properly enforced.", "If an immediate update is not feasible, temporarily disable the bulk download functionality in the plugin settings or remove the plugin entirely until a fix is available.", "Monitor the wp\u2011content/uploads/ directory for unexpected ZIP files and remove them promptly to prevent accidental discovery of site code by malicious actors."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery enabling bulk download of plugins and themes"}, "threat_synthesis": {"affected_systems": "WordPress sites running the wpcodefactory Download Plugins and Themes in ZIP from Dashboard plugin version 1.9.6 or earlier. Any site that has this plugin installed and is able to process admin\u2011level requests is susceptible. Update to a version newer than 1.9.6 to address the missing nonce validation.", "description_and_impact": "The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross\u2011Site Request Forgery due to missing or incorrect nonce validation on the download_plugin_bulk and download_theme_bulk functions. A forged request can cause an attacker to trigger the bulk download of all installed plugins and themes, resulting in the archive files being written to the wp\u2011content/uploads/ directory. This exposes site code and related files to an unauthenticated attacker, which could facilitate further exploitation or data exfiltration.", "risk_and_exploitability": "The CVSS score of 4.3 indicates medium severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA KEV. Attackers would need to trick an administrator into clicking a malicious link or submitting a forged form, so a social\u2011engineering vector is likely. Post\u2011exploitation, the attacker could read the archived files and potentially identify additional weaknesses."}}}}, "created": "2025-12-17T14:28:30.323261+00:00", "updated": "2026-04-21T17:15:25.325195+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpfactory", "wpfactory$PRODUCT$download_plugins_and_themes_from_dashboard"]}