Plattform
wordpress
Komponente
download-counter-button
Behoben in
1.8.7
CVE-2025-11072 describes an Arbitrary File Access vulnerability discovered in the MelAbu WP Download Counter Button WordPress plugin. This flaw allows an unauthenticated attacker to potentially read and download arbitrary files from the server. The vulnerability affects versions from 0.0 up to and including 1.8.6.7. A patch is expected to be released by the plugin developer.
The primary impact of this vulnerability is the potential for unauthorized access to sensitive files stored on the WordPress server. An attacker could leverage this to exfiltrate configuration files, database credentials, source code, or any other files accessible by the webserver process. Successful exploitation could lead to complete compromise of the WordPress installation and potentially the underlying server. This vulnerability bypasses authentication, making it easily exploitable by anyone with access to the website.
This vulnerability was publicly disclosed on 2025-11-05. No public proof-of-concept exploits are currently known, but the ease of exploitation makes it a potential target for automated scanning and exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Websites using the MelAbu WP Download Counter Button plugin, particularly those with sensitive data stored on the server or with permissive file system permissions, are at risk. Shared hosting environments where users have limited control over plugin configurations are also particularly vulnerable.
• wordpress / composer / npm:
grep -r "wp_enqueue_style('melabu-counter-button',\s*plugin_dir_url(__FILE__)"• wordpress / composer / npm:
wp plugin list | grep melabu• wordpress / composer / npm:
wp plugin status | grep melabu• generic web: Check for unusual file downloads via the plugin's download button. Monitor access logs for requests to files outside the expected download directory.
disclosure
Exploit-Status
EPSS
0.10% (28% Perzentil)
CVSS-Vektor
The recommended mitigation is to immediately upgrade the MelAbu WP Download Counter Button plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the download functionality or implementing stricter file access controls on the server. Web Application Firewall (WAF) rules can be configured to block requests attempting to access files outside of the intended download directory. Monitor WordPress logs for suspicious file access attempts.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-11072 is a HIGH severity vulnerability allowing unauthenticated attackers to read arbitrary files on servers running the MelAbu WP Download Counter Button plugin due to insufficient path validation.
You are affected if you are using the MelAbu WP Download Counter Button plugin versions 0.0 through 1.8.6.7. Upgrade to a patched version as soon as it's available.
Upgrade the MelAbu WP Download Counter Button plugin to the latest available version. As a temporary workaround, disable the plugin or restrict file system permissions.
As of 2025-11-05, there are no known public exploits, but it's crucial to apply the patch promptly to prevent potential exploitation.
Check the official MelAbu WP Download Counter Button plugin website and WordPress plugin repository for updates and security advisories related to CVE-2025-11072.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.