CVE-2025-23639
📋 TL;DR
This CSRF vulnerability in the MDC YouTube Downloader WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions, which can lead to stored cross-site scripting (XSS). Attackers can inject malicious scripts that execute in victims' browsers when they visit compromised pages. All WordPress sites using MDC YouTube Downloader versions up to 3.0.0 are affected.
💻 Affected Systems
- MDC YouTube Downloader WordPress Plugin
📦 What is this software?
Mdc Youtube Downloader by Mdc Youtube Downloader Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that steals administrator credentials, redirects users to malicious sites, or performs administrative actions on the WordPress site without authorization.
Likely Case
Attackers create fake admin interfaces or forms that trick logged-in administrators into executing actions that inject malicious scripts into site pages, affecting all visitors.
If Mitigated
With proper CSRF tokens and input validation, the vulnerability would be prevented, and only users with administrative privileges could make legitimate changes.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into clicking a malicious link or visiting a compromised page. No public proof-of-concept exploit is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.0.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find MDC YouTube Downloader and update to the latest version. 4. If no update is available, deactivate and delete the plugin.
🔧 Temporary Workarounds
Implement CSRF Protection
allAdd CSRF tokens to all forms and actions in the plugin to prevent unauthorized requests.
Disable Plugin
WordPressTemporarily deactivate the MDC YouTube Downloader plugin until a patch is applied.
wp plugin deactivate mdc-youtube-downloader
🧯 If You Can't Patch
- Remove the MDC YouTube Downloader plugin entirely from the WordPress installation.
- Implement a web application firewall (WAF) to block CSRF and XSS attack patterns.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins. If MDC YouTube Downloader is installed and version is 3.0.0 or earlier, it is vulnerable.Check Version:
wp plugin get mdc-youtube-downloader --field=versionVerify Fix Applied:
After updating, verify the plugin version is above 3.0.0 in the WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php or admin-post.php involving the mdc-youtube-downloader plugin.
- JavaScript injection in page content or database entries related to the plugin.
Network Indicators:
- CSRF attacks may originate from external domains with crafted requests to the WordPress site.
SIEM Query:
source="wordpress.log" AND ("mdc-youtube-downloader" OR "admin-ajax.php") AND (POST OR "cross-site")