{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14633", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-12T22:11:21.919Z", "datePublished": "2025-12-20T03:20:23.217Z", "dateUpdated": "2026-04-08T17:18:32.758Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:32.758Z"}, "affected": [{"vendor": "niao70", "product": "F70 Lead Document Download", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs."}], "title": "F70 Lead Document Download <= 1.4.4 - Missing Authorization to Unauthenticated Arbitrary Media File Download", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bba22270-de9b-4651-8180-c077ef113112?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/f70-lead-document-download/trunk/includes/class.download.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/f70-lead-document-download/tags/1.4.4/includes/class.download.php#L61"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Camilla Flocco"}], "timeline": [{"time": "2025-12-19T15:02:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T20:32:34.418397Z", "id": "CVE-2025-14633", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:32:39.762Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14633", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T20:32:34.418397Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:32:37.247Z"}}], "cna": {"title": "F70 Lead Document Download <= 1.4.4 - Missing Authorization to Unauthenticated Arbitrary Media File Download", "credits": [{"lang": "en", "type": "finder", "value": "Camilla Flocco"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "niao70", "product": "F70 Lead Document Download", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.4.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T15:02:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bba22270-de9b-4651-8180-c077ef113112?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/f70-lead-document-download/trunk/includes/class.download.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/f70-lead-document-download/tags/1.4.4/includes/class.download.php#L61"}], "descriptions": [{"lang": "en", "value": "The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-20T03:20:23.217Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14633", "state": "PUBLISHED", "dateUpdated": "2025-12-22T20:32:39.762Z", "dateReserved": "2025-12-12T22:11:21.919Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-20T03:20:23.217Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs."}], "id": "CVE-2025-14633", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-20T04:16:08.140", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/f70-lead-document-download/tags/1.4.4/includes/class.download.php#L61"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/f70-lead-document-download/trunk/includes/class.download.php#L61"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bba22270-de9b-4651-8180-c077ef113112?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:21:40.051158+00:00", "value": {"mitigation_remediation": ["Upgrade the F70 Lead Document Download plugin to the latest available version that implements a proper capability check for the file_download action.", "If no newer version exists, replace the plugin with an alternative that enforces authorization before file access, or remove the plugin entirely if the feature is unnecessary.", "Ensure that all other plugins or custom code on the site perform capability checks on media file access to prevent similar unauthorized download vectors."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access to Media Files"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the WordPress plugin F70 Lead Document Download for all released versions up to and including 1.4.4. Sites running these versions with the plugin active are susceptible if the function can be called externally.", "description_and_impact": "The plugin\u2019s file_download function lacks a capability check, allowing any user without authentication to request files from the WordPress media library by guessing attachment IDs. This enables download of arbitrary media files, compromising the confidentiality of stored content.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The issue is not listed in the CISA KEV catalog. Attackers can trigger the flaw remotely by directing any visitor to the file download endpoint; the missing check is the prerequisite for successful exploitation."}}}}, "created": "2025-12-21T21:12:31.876299+00:00", "updated": "2026-04-20T21:30:18.573329+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}