CVE-2025-0865

MEDIUM Year: 2025
CVSS v3 Score
6.5
Medium
Weakness Type
CWE-352
View all →

Vulnerability Description

The WP Media Category Management plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.0 to 2.3.3. This is due to missing or incorrect nonce validation on the wp_mcm_handle_action_settings() function. This makes it possible for unauthenticated attackers to alter plugin settings, such as the taxonomy used for media, the base slug for media categories, and the default media category via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Related Vulnerabilities

CVE-2004-1995

MEDIUM
CVSS:6.5(Medium)

Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows remote attackers to create arbitrary accounts via a link to adduser.cfm.

CWE-3522004

CVE-2005-1674

MEDIUM
CVSS:6.5(Medium)

Cross-Site Request Forgery (CSRF) vulnerability in Help Center Live allows remote attackers to perform actions as the administrator via a link or IMG tag to view.php.

CWE-3522005

CVE-2005-2059

MEDIUM
CVSS:6.5(Medium)

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow r...

CWE-3522005

CVE-2009-3022

MEDIUM
CVSS:6.5(Medium)

Cross-site request forgery (CSRF) vulnerability in bingo!CMS 1.2 and earlier allows remote attackers to hijack the authentication of other users for requests that modify configuration or change conten...

CWE-3522009

CVE-2011-3609

MEDIUM
CVSS:6.5(Medium)

A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP ...

CWE-3522011

CVE-2011-5250

MEDIUM
CVSS:6.5(Medium)

Snare for Linux before 1.7.0 has CSRF in the web interface.

CWE-3522011