Description
The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.6. This is due to missing or incorrect nonce validation on the download_plugin_bulk and download_theme_bulk functions. This makes it possible for unauthenticated attackers to archive all the sites plugins and themes and place them in the `wp-content/uploads/` directory via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling bulk download of plugins and themes
Action: Apply Patch
AI Analysis

Impact

The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross‑Site Request Forgery due to missing or incorrect nonce validation on the download_plugin_bulk and download_theme_bulk functions. A forged request can cause an attacker to trigger the bulk download of all installed plugins and themes, resulting in the archive files being written to the wp‑content/uploads/ directory. This exposes site code and related files to an unauthenticated attacker, which could facilitate further exploitation or data exfiltration.

Affected Systems

WordPress sites running the wpcodefactory Download Plugins and Themes in ZIP from Dashboard plugin version 1.9.6 or earlier. Any site that has this plugin installed and is able to process admin‑level requests is susceptible. Update to a version newer than 1.9.6 to address the missing nonce validation.

Risk and Exploitability

The CVSS score of 4.3 indicates medium severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA KEV. Attackers would need to trick an administrator into clicking a malicious link or submitting a forged form, so a social‑engineering vector is likely. Post‑exploitation, the attacker could read the archived files and potentially identify additional weaknesses.

Generated by OpenCVE AI on April 21, 2026 at 17:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Download Plugins and Themes in ZIP from Dashboard plugin to a version newer than 1.9.6 so that nonce validation is properly enforced.
  • If an immediate update is not feasible, temporarily disable the bulk download functionality in the plugin settings or remove the plugin entirely until a fix is available.
  • Monitor the wp‑content/uploads/ directory for unexpected ZIP files and remove them promptly to prevent accidental discovery of site code by malicious actors.

Generated by OpenCVE AI on April 21, 2026 at 17:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpfactory
Wpfactory download Plugins And Themes From Dashboard
Vendors & Products Wordpress
Wordpress wordpress
Wpfactory
Wpfactory download Plugins And Themes From Dashboard

Wed, 17 Dec 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.6. This is due to missing or incorrect nonce validation on the download_plugin_bulk and download_theme_bulk functions. This makes it possible for unauthenticated attackers to archive all the sites plugins and themes and place them in the `wp-content/uploads/` directory via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Download Plugins and Themes from Dashboard <= 1.9.6 - Cross-Site Request Forgery to Bulk Plugin/Theme Archival
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpfactory Download Plugins And Themes From Dashboard
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:22.407Z

Reserved: 2025-12-10T01:12:16.135Z

Link: CVE-2025-14399

cve-icon Vulnrichment

Updated: 2025-12-17T21:44:06.524Z

cve-icon NVD

Status : Deferred

Published: 2025-12-17T08:15:43.000

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses