CVE-2025-0865

Name of the Vulnerable Software and Affected Versions WP Media Category Management plugin versions 2.0 to 2.3.3

Description The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the wp mcm handle action settings() function. This allows unauthenticated attackers to alter plugin settings, such as the taxonomy used for media, the base slug for media categories, and the default media category, by tricking a site administrator into performing an action like clicking on a link.

Recommendations For WP Media Category Management plugin versions 2.0 to 2.3.3, consider disabling the wp mcm handle action settings() function until a patch is available to prevent exploitation. Restrict access to the plugin's settings to minimize the risk of unauthorized changes. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.