Description
Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Media Categories wp-media-categories allows Cross Site Request Forgery.This issue affects WP Media Categories: from n/a through <= 2.1.0.
Published: 2025-10-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains a CSRF weakness that permits an attacker to cause a logged‑in user to perform actions without their consent. The flaw may lead to unauthorized changes to media categories, site settings or content, thereby compromising the integrity (and potentially confidentiality) of the site.

Affected Systems

WordPress sites that have the WP Media Categories plugin by John James Jacoby installed and running any version up to and including 2.1.0 are affected.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1 % shows very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need a legitimate user session—such as an administrator logged into the site—to trigger the action from a malicious page, as the absence of a CSRF token allows the request to be submitted unchallenged.

Generated by OpenCVE AI on April 29, 2026 at 23:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Media Categories to a version newer than 2.1.0.
  • If an update is not available, remove the plugin from the WordPress installation.
  • Verify that all administrative pages are protected by proper CSRF tokens or implement custom token checks on site‑wide forms.

Generated by OpenCVE AI on April 29, 2026 at 23:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 23 Oct 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Media Categories wp-media-categories allows Cross Site Request Forgery.This issue affects WP Media Categories: from n/a through <= 2.1.0.
Title WordPress WP Media Categories Plugin <= 2.1.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:55.419Z

Reserved: 2025-09-25T15:20:34.879Z

Link: CVE-2025-60134

cve-icon Vulnrichment

Updated: 2025-10-22T20:25:09.940Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:57.023

Modified: 2026-04-27T16:16:32.587

Link: CVE-2025-60134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:45:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)