{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11072", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-09-26T12:49:05.710Z", "datePublished": "2025-11-05T06:00:07.091Z", "dateUpdated": "2026-04-02T12:39:51.115Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:51.115Z"}, "title": "Download Counter Button <= 1.8.6.7 - Unauthenticated Arbitrary File Download", "problemTypes": [{"descriptions": [{"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "MelAbu WP Download Counter Button", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.8.6.7"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files."}], "references": [{"url": "https://wpscan.com/vulnerability/538117c5-b04c-45fc-a953-6f619fdf7eaf/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Khaled Alenazi (Nxploited)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T18:36:27.812038Z", "id": "CVE-2025-11072", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T18:36:44.703Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-11072", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-05T18:36:27.812038Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T18:34:40.753Z"}}], "cna": {"title": "Download Counter Button <= 1.8.6.7 - Unauthenticated Arbitrary File Download", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Alenazi (Nxploited)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "MelAbu WP Download Counter Button", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8.6.7"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/538117c5-b04c-45fc-a953-6f619fdf7eaf/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:51.115Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11072", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:51.115Z", "dateReserved": "2025-09-26T12:49:05.710Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2025-11-05T06:00:07.091Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files."}], "id": "CVE-2025-11072", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-05T06:15:32.990", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/538117c5-b04c-45fc-a953-6f619fdf7eaf/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:58:07.096548+00:00", "value": {"mitigation_remediation": ["Upgrade the MelAbu WP Download Counter Button plugin to the latest supported version (1.8.6.8 or later) where path validation has been added.", "If an upgrade cannot be performed immediately, disable the download functionality for unauthenticated users in the plugin settings or block the download endpoint with access control rules, such as an .htaccess rule that requires authentication.", "Implement a temporary code change that limits the download path to a specific whitelist of directories or file types, preventing traversal outside the intended download folder."], "summary": {"action": "Patch", "impact": "Unauthorized file download"}, "threat_synthesis": {"affected_systems": "WordPress sites running the MelAbu WP Download Counter Button plugin version 1.8.6.7 or earlier are affected. No other vendors or product versions were identified in the CNA report.", "description_and_impact": "The vulnerability in the MelAbu WP Download Counter Button plugin allows an attacker with no authentication to request arbitrary files from the server. The plugin fails to validate the file path supplied in the download request, which effectively turns it into a path traversal flaw. An attacker could read sensitive configuration files, source code or other private data that resides on the same web root, compromising confidentiality.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact. The EPSS score of less than 1% points to a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw permits unauthenticated reading of arbitrary files via a web request, it is best addressed through a patch or the stated workaround. The likely attack vector is a web-based HTTP request targeting the plugin\u2019s download endpoint."}}}}, "created": "2025-11-06T10:07:27.062656+00:00", "updated": "2026-04-27T23:00:13.995693+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-22", "CWE-200"]}