CVE-2025-0865

Summary

CVE-2025-0865 is a Cross-Site Request Forgery vulnerability affecting the WP Media Category Management plugin for WordPress. Versions 2.0 to 2.3.3 are impacted by this issue. The vulnerability arises from inadequate nonce validation in the wp_mcm_handle_action_settings() function. An attacker can exploit this flaw by forging a request and tricking a site administrator into executing it. Successful exploitation enables the attacker to modify plugin settings, including taxonomies, base slugs for media categories, and default media categories.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.