{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11701", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-13T18:11:22.225Z", "datePublished": "2025-10-15T08:26:04.431Z", "dateUpdated": "2026-04-08T17:28:58.476Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:58.476Z"}, "affected": [{"vendor": "quicoto", "product": "Zip Attachments", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to download attachments from private and password-protected posts."}], "title": "Zip Attachments <= 1.6 - Missing Authorization to Unauthenticated Private And Password-Protected Posts Attachment Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e166d52d-73d1-4572-b9cc-ab935b05e13c?source=cve"}, {"url": "http://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/zip-attachments.php#L95"}, {"url": "http://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/zip-attachments.php#L46"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-08-22T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-14T19:35:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T13:24:10.783724Z", "id": "CVE-2025-11701", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:24:45.463Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11701", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T13:24:10.783724Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:24:24.036Z"}}], "cna": {"title": "Zip Attachments <= 1.6 - Missing Authorization to Unauthenticated Private And Password-Protected Posts Attachment Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "quicoto", "product": "Zip Attachments", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-22T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-14T19:35:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e166d52d-73d1-4572-b9cc-ab935b05e13c?source=cve"}, {"url": "http://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/zip-attachments.php#L95"}, {"url": "http://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/zip-attachments.php#L46"}], "descriptions": [{"lang": "en", "value": "The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to download attachments from private and password-protected posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:58.476Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11701", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:58.476Z", "dateReserved": "2025-10-13T18:11:22.225Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T08:26:04.431Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to download attachments from private and password-protected posts."}], "id": "CVE-2025-11701", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T09:15:42.910", "references": [{"source": "security@wordfence.com", "url": "http://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/zip-attachments.php#L46"}, {"source": "security@wordfence.com", "url": "http://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/zip-attachments.php#L95"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e166d52d-73d1-4572-b9cc-ab935b05e13c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:18:04.816704+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin update (version 1.7 or newer) to restore the missing capability and post status checks.", "If an update is not immediately possible, disable or remove the Zip Attachments plugin entirely to block the insecure endpoint.", "As a temporary measure, configure the web server to block requests to the plugin\u2019s callback URL (e.g., /zip-attachments.zip) for users without appropriate authentication headers."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Disclosure"}, "threat_synthesis": {"affected_systems": "Quicoto\u2019s Zip Attachments plugin, all versions up to and including 1.6, is affected. Users running any of these versions are vulnerable unless the plugin has been patched or removed.", "description_and_impact": "The Zip Attachments plugin for WordPress is vulnerable because the za_create_zip_callback function lacks a capability check and does not validate the post status. This missing protection allows any unauthenticated user to trigger the function and download attachments that belong to private or password-protected posts. The vulnerability directly exposes private content without modifying the integrity of the site, leading to confidential data leakage.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation at the current time. The vulnerability is not listed in CISA\u2019s KEV catalog, so no known widespread attacks have been reported. Based on the description, the likely attack vector is an unauthenticated HTTP request to the plugin\u2019s zip endpoint. Attackers can download the ZIP file without any authentication or authorization checks, which circumvents the privacy controls of the site."}}}}, "created": "2025-10-20T13:27:00.606272+00:00", "updated": "2026-04-21T02:30:25.820136+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}