CVE-2025-8104 MEDIUM

CVE-2025-8104: Memory Usage <= 3.98 - Cross-Site Request Forgery to Limited Plugin Installation via wpmemory_install_plugin Function

Vendor Sminozzi
Product Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions
Weakness CWE-352 · CSRF
Published July 27, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Memory Usage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.98. This is due to missing nonce validation in the wpmemory_install_plugin() function. This makes it possible for unauthenticated attackers to silently install one of the several whitelisted plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Explanation of Vulnerability in Simple Terms

02Summary

A cross-site request forgery (CSRF) vulnerability in the Memory Usage, Memory Limit, PHP and Server Memory Health Check plugin allows an attacker to perform unwanted actions on behalf of an authenticated user. The vulnerability requires user interaction—typically clicking a malicious link—but does not require the attacker to be authenticated. An attacker can modify site settings or data with the privileges of the user who visits the malicious page.

What an attacker can do

03Attacker Capabilities

Perform unwanted actions (like changing settings) on behalf of a logged-in site user.

Potential impact on your site

04Site Impact

Site settings or data could be altered without the user's knowledge if they visit an attacker's page while logged in.

Conditions required to exploit

05Prerequisites

An authenticated site user must visit a page controlled by the attacker (e.g., click a malicious link).

Key dates

06Disclosure timeline

July 27, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE