CVE-2025-23639

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0004 11.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC YouTube Downloader mdc-youtube-downloader allows Stored XSS.This issue affects MDC YouTube Downloader: from n/a through <= 3.0.0.

Security Summary

CVE-2025-23639 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin MDC YouTube Downloader (mdc-youtube-downloader) developed by Nazmul Ahsan that enables Stored Cross-Site Scripting (XSS). The flaw, tied to CWE-352, affects all versions of the plugin up to and including 3.0.0.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network by unauthenticated attackers with low complexity, though it requires user interaction. An attacker can trick an authenticated user into submitting a malicious request via a crafted webpage, leading to the storage of XSS payloads that execute in the context of other users viewing affected content.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/mdc-youtube-downloader/vulnerability/wordpress-mdc-youtube-downloader-plugin-3-0-0-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the CSRF-to-stored-XSS issue specifically in version 3.0.0 of the WordPress MDC YouTube Downloader plugin.

Details

CWE(s): CWE-352

Affected Products

mdc youtube downloader project

mdc youtube downloader

≤ 3.0.0

References

https://patchstack.com/database/Wordpress/Plugin/mdc-youtube-downloader/vulnerability/wordpress-mdc-youtube-downloader-plugin-3-0-0-csrf-to-stored-xss-vulnerability?_s_id=cve
Third Party Advisory · audit@patchstack.com