Security readout for executives and security teams
Plain-English summary
CVE-2014-125090 is a cross-site scripting flaw in the WordPress Media Downloader Plugin. An authenticated remote user could manipulate the file parameter handled by getfile.php, potentially causing script execution in a victim’s browser. The known affected version is 0.1.992, and the cited fix is version 0.1.993.
Executive priority
Treat this as a moderate web application risk. It is not KEV-listed and requires authentication, but exposed WordPress plugins can create reputational and user-session risk. Patch during the next normal vulnerability remediation cycle unless the plugin is broadly accessible to untrusted users.
Technical view
Media Downloader Plugin 0.1.992 contains CWE-79 in getfile.php, affecting dl_file_resumable through the file argument. The CVSS v2 vector is AV:N/AC:L/Au:S/C:N/I:P/A:N, indicating network reachability, low complexity, authentication required, partial integrity impact, and no confidentiality or availability impact.
Likely exposure
Exposure is limited to WordPress sites running Media Downloader Plugin 0.1.992. The source bundle does not provide installation prevalence, default reachability, or evidence that unauthenticated users can trigger the issue.
Exploitation context
The vulnerability can be initiated remotely, but the CVSS vector indicates authentication is required. The source bundle marks KEV as false and provides no cited evidence of active exploitation in the wild.
Researcher notes
The public data is concise: affected component, parameter, CWE, CVSS, and patch are identified. The bundle does not include proof-of-concept details, exploit telemetry, or broader affected version ranges, so avoid expanding scope beyond Media Downloader Plugin 0.1.992.
Mitigation direction
- Upgrade Media Downloader Plugin to version 0.1.993 or later.
- Confirm the patch commit is present in deployed plugin code.
- Restrict plugin access where upgrade timing is uncertain.
- Check vendor or maintainer guidance for any additional hardening.
Validation and detection
- Inventory WordPress sites for Media Downloader Plugin installations.
- Verify installed plugin versions are not 0.1.992.
- Review getfile.php for the cited patch changes.
- Confirm authenticated roles with access to downloader functionality.
- Document any remaining unpatched instances and owners.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2014-125090 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 4 (2.0)
- Known Exploited
- No
- Published
Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
AV:N/AC:L/Au:S/C:N/I:P/A:N82.9Primary CVE scoreVulnerability scoring details
Base CVSS 2.0 score
4MediumVector: AV:N/AC:L/Au:S/C:N/I:P/A:N
Source materials
- CVE List V5 sourceCVE List V5
- https://vuldb.com/?id.222262CVE reference · vdb-entry, technical-description
- https://vuldb.com/?ctiid.222262CVE reference · signature, permissions-required
- https://github.com/wp-plugins/media-downloader/commit/77beb720c682b9300035ab5f96eee225181d8a92CVE reference · patch
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
