The vulnerability CVE-2025-14399 affects the WordPress plugin 'Download Plugins and Themes in ZIP from Dashboard' in all versions up to and including 1.9.6. It is a Cross-Site Request Forgery (CSRF) flaw categorized under CWE-352, caused by missing or incorrect nonce validation in the plugin's download_plugin_bulk and download_theme_bulk functions. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and prevent unauthorized actions. Without proper nonce validation, attackers can craft malicious requests that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), trigger the plugin to archive all installed plugins and themes into ZIP files. These archives are saved in the wp-content/uploads/ directory, which is typically web-accessible. While the attacker cannot directly execute the action without user interaction, the ability to archive and expose the site's plugins and themes can reveal sensitive information about the site's configuration and potentially aid in further exploitation or reconnaissance. The vulnerability does not directly compromise confidentiality or availability but impacts integrity by allowing unauthorized modification of site content (creation of archives). The CVSS 3.1 base score is 4.3, reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and limited impact on integrity only. No patches or exploits are currently publicly known, but the plugin's widespread use in WordPress environments makes it a notable risk. The vulnerability highlights the importance of proper nonce implementation in WordPress plugins to prevent CSRF attacks.

The primary impact of this vulnerability is unauthorized modification of the WordPress site by creating archives of all plugins and themes without administrator consent. Although it does not directly lead to data disclosure or site downtime, the archived files could expose sensitive information about plugin versions and themes in use, which attackers can leverage for targeted attacks or privilege escalation. The presence of these archives in a web-accessible directory increases the risk of information leakage. For organizations, this could lead to increased reconnaissance by attackers, potentially facilitating more severe attacks such as privilege escalation, code injection, or deployment of malware. The requirement for administrator interaction limits the ease of exploitation but does not eliminate risk, especially in environments with multiple administrators or less security-aware users. Overall, the vulnerability undermines the integrity of the WordPress environment and could serve as a stepping stone for more damaging attacks.

To mitigate this vulnerability, organizations should immediately update the 'Download Plugins and Themes in ZIP from Dashboard' plugin to a patched version once available. Until a patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Implementing strict Content Security Policy (CSP) headers can reduce the risk of CSRF by limiting the sources of executable scripts. Additionally, administrators should be trained to avoid clicking on suspicious links or visiting untrusted websites while logged into WordPress dashboards. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the vulnerable plugin endpoints. Monitoring the wp-content/uploads/ directory for unexpected ZIP files can help detect exploitation attempts. Finally, plugin developers should ensure proper nonce validation is implemented for all state-changing actions to prevent similar vulnerabilities.