Description
Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager wp-media-file-type-manager allows Cross Site Request Forgery.This issue affects WP Media File Type Manager: from n/a through <= 2.3.1.
Published: 2025-06-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Media File Type Manager plugin has a Cross‑Site Request Forgery weakness that permits a user who is already authenticated to submit a request to the plugin’s settings endpoint without a valid CSRF token. This flaw, classified as CWE‑352, enables the alteration of plugin configuration silently by an attacker who can bring the administrator to a crafted page.

Affected Systems

Any WordPress installation running Seerox WP Media File Type Manager plugin version 2.3.1 or earlier is affected. The attack requires that the target user be logged in with sufficient privileges to change the plugin’s settings.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating a moderate risk. Its EPSS score is under 1%, suggesting a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. An attacker would need to trick an authenticated user—most likely an administrator—to visit a malicious URL that submits a request to the vulnerable endpoint. The lack of anti‑CSRF protection makes the exploitation straightforward once the conditions are met.

Generated by OpenCVE AI on May 2, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Seerox WP Media File Type Manager to the newest released version (2.3.2 or later).
  • If the plugin is not required for site functionality, deactivate or uninstall it completely.
  • Configure the web application firewall or wp-config.php to block requests to the plugin’s settings endpoint when no valid CSRF token is present.

Generated by OpenCVE AI on May 2, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17164 Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager allows Cross Site Request Forgery. This issue affects WP Media File Type Manager: from n/a through 2.3.0.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager wp-media-file-type-manager allows Cross Site Request Forgery.This issue affects WP Media File Type Manager: from n/a through <= 2.3.2. Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager wp-media-file-type-manager allows Cross Site Request Forgery.This issue affects WP Media File Type Manager: from n/a through <= 2.3.1.
Title WordPress WP Media File Type Manager plugin <= 2.3.2 - Cross Site Request Forgery (CSRF) vulnerability WordPress WP Media File Type Manager plugin <= 2.3.1 - Cross Site Request Forgery (CSRF) vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager wp-media-file-type-manager allows Cross Site Request Forgery.This issue affects WP Media File Type Manager: from n/a through <= 2.3.1. Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager wp-media-file-type-manager allows Cross Site Request Forgery.This issue affects WP Media File Type Manager: from n/a through <= 2.3.2.
Title WordPress WP Media File Type Manager plugin <= 2.3.1 - Cross Site Request Forgery (CSRF) vulnerability WordPress WP Media File Type Manager plugin <= 2.3.2 - Cross Site Request Forgery (CSRF) vulnerability
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager allows Cross Site Request Forgery. This issue affects WP Media File Type Manager: from n/a through 2.3.0. Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager wp-media-file-type-manager allows Cross Site Request Forgery.This issue affects WP Media File Type Manager: from n/a through <= 2.3.1.
Title WordPress WP Media File Type Manager plugin <= 2.3.0 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability WordPress WP Media File Type Manager plugin <= 2.3.1 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 06 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager allows Cross Site Request Forgery. This issue affects WP Media File Type Manager: from n/a through 2.3.0.
Title WordPress WP Media File Type Manager plugin <= 2.3.0 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.106Z

Reserved: 2025-02-21T16:46:11.506Z

Link: CVE-2025-27359

cve-icon Vulnrichment

Updated: 2025-06-06T14:39:55.634Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:27.447

Modified: 2026-04-28T19:30:01.370

Link: CVE-2025-27359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:30:16Z

Weaknesses