CVE-2025-4580: File Provider <= 1.2.3 - Item Deletion via CSRF

Description

The File Provider WordPress plugin through 1.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Classification

CVE ID: CVE-2025-4580

Problem Types

CWE-352 Cross-Site Request Forgery (CSRF)

Affected Products

Vendor: Unknown

Product: File Provider

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 1.52% (scored less or equal to compared to others)

EPSS Date: 2025-06-05 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4580
https://wpscan.com/vulnerability/8741353a-2a7f-4dee-b62d-7f5fe435f1a1/

Timeline

2025-06-04 07:40:18 UTC
CVE

File Provider <= 1.2.3 - Item Deletion via CSRF