Cross-Site Request Forgery in Mediabay by Codedraft
CVE-2025-28948

7.1HIGH

What is CVE-2025-28948?

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Codedraft Mediabay plugin for WordPress Media Library Folders. This flaw allows attackers to perform unauthorized actions on behalf of authenticated users, potentially leading to reflected Cross-Site Scripting (XSS) exploits. If an attacker tricks a user into clicking a malicious link while authenticated, they may be able to execute arbitrary scripts in the user's browser context.

Affected Version(s)

Mediabay - WordPress Media Library Folders <= 1.4

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) (Patchstack Alliance)
.
CVE-2025-28948 : Cross-Site Request Forgery in Mediabay by Codedraft