Description
Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC YouTube Downloader mdc-youtube-downloader allows Stored XSS.This issue affects MDC YouTube Downloader: from n/a through <= 3.0.0.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin allows a Cross‑Site Request Forgery (CSRF) flaw that permits an attacker to store arbitrary script payloads in the plugin’s data fields. When that data is displayed to site visitors, the malicious scripts are executed in their browsers, enabling session hijacking, data theft, defacement or other browser‑side compromises. The weakness corresponds to the standard CSRF fault (CWE‑352).

Affected Systems

WordPress sites that have the Nazmul Ahsan MDC YouTube Downloader plugin installed are affected when the plugin version is 3.0.0 or earlier. All affected sites host the plugin through the WordPress plugin repository or other distribution channels.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high risk. The EPSS score is less than 1 %, suggesting that real‑world exploits are currently scarce. The vulnerability is not listed in CISA’s KEV catalog. The likely attacker path is inferred: by creating a forged request to the plugin’s endpoint, an attacker can push a malicious script that persists in the database and runs for any visitor who loads the affected page. The risk is limited to sites where the plugin is enabled and users are allowed to view the stored data.

Generated by OpenCVE AI on May 2, 2026 at 06:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MDC YouTube Downloader plugin to the latest version that contains the CSRF fix.
  • Add and enforce anti‑CSRF tokens on all data‑entry forms processed by the plugin, ensuring that forged requests are rejected.
  • Sanitize any data stored by the plugin to strip or escape disallowed script tags before rendering them to users.

Generated by OpenCVE AI on May 2, 2026 at 06:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3303 Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC YouTube Downloader allows Stored XSS.This issue affects MDC YouTube Downloader: from n/a through 3.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC YouTube Downloader allows Stored XSS.This issue affects MDC YouTube Downloader: from n/a through 3.0.0. Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC YouTube Downloader mdc-youtube-downloader allows Stored XSS.This issue affects MDC YouTube Downloader: from n/a through <= 3.0.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 30 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mdc Youtube Downloader Project
Mdc Youtube Downloader Project mdc Youtube Downloader
CPEs cpe:2.3:a:mdc_youtube_downloader_project:mdc_youtube_downloader:*:*:*:*:*:wordpress:*:*
Vendors & Products Mdc Youtube Downloader Project
Mdc Youtube Downloader Project mdc Youtube Downloader

Fri, 17 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC YouTube Downloader allows Stored XSS.This issue affects MDC YouTube Downloader: from n/a through 3.0.0.
Title WordPress MDC YouTube Downloader plugin <= 3.0.0 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Mdc Youtube Downloader Project Mdc Youtube Downloader
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:15.952Z

Reserved: 2025-01-16T11:27:31.286Z

Link: CVE-2025-23639

cve-icon Vulnrichment

Updated: 2025-01-17T17:20:58.904Z

cve-icon NVD

Status : Modified

Published: 2025-01-16T20:15:41.763

Modified: 2026-04-23T15:24:12.090

Link: CVE-2025-23639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:30:36Z

Weaknesses