Cross-Site Request Forgery in Mediabay by Codedraft
CVE-2025-28948
7.1HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 6 June 2025
What is CVE-2025-28948?
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Codedraft Mediabay plugin for WordPress Media Library Folders. This flaw allows attackers to perform unauthorized actions on behalf of authenticated users, potentially leading to reflected Cross-Site Scripting (XSS) exploits. If an attacker tricks a user into clicking a malicious link while authenticated, they may be able to execute arbitrary scripts in the user's browser context.
Affected Version(s)
Mediabay - WordPress Media Library Folders <= 1.4
References
CVSS V3.1
Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) (Patchstack Alliance)