CVE-2025-54672: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability affects the Photo Engine (Media Organizer and Lightroom) WordPress plugin versions up to and including 6.4.3. The vulnerability was discovered on July 30, 2025, and publicly disclosed on August 14, 2025 (Rapid7, Patchstack).

The vulnerability stems from missing or incorrect nonce validation on a function within the Photo Engine plugin. The CVSS v3.1 base score is 4.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, but does require user interaction (NVD, Patchstack).

The vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing specific actions, such as clicking on malicious links. The impact is considered low to moderate, primarily affecting the integrity of the system through unauthorized state changes (Rapid7).

The vulnerability has been fixed in version 6.4.4 of the Photo Engine plugin. Users are advised to update to this version or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).