Platform
wordpress
Component
download-counter-button
Fixed in
1.8.7
CVE-2025-11072 describes an Arbitrary File Access vulnerability discovered in the MelAbu WP Download Counter Button WordPress plugin. This flaw allows an unauthenticated attacker to potentially read and download arbitrary files from the server. The vulnerability affects versions from 0.0 up to and including 1.8.6.7. A patch is expected to be released by the plugin developer.
The primary impact of this vulnerability is the unauthorized disclosure of sensitive files. An attacker could leverage this to access configuration files, database backups, or even source code, depending on the server's file system permissions. Successful exploitation could lead to data breaches, compromise of server credentials, and potential escalation of privileges. While the vulnerability requires no authentication, the attacker must be able to interact with the plugin's download functionality to trigger the file access. The potential blast radius is significant, particularly if the server hosts sensitive data or is part of a larger network.
This vulnerability was publicly disclosed on 2025-11-05. As of this date, there are no known public proof-of-concept exploits. The EPSS score is pending evaluation. It is recommended to monitor security advisories and vulnerability databases for updates on exploitation activity.
Exploit Status
EPSS
0.10% (28% percentile)
CVSS Vector
The immediate mitigation is to upgrade the MelAbu WP Download Counter Button plugin to a version containing the security fix, once released by the vendor. In the interim, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, restrict file system permissions to prevent the plugin from accessing sensitive directories. Implement a Web Application Firewall (WAF) with rules to block requests attempting to access files outside of the intended download directory. Monitor WordPress logs for suspicious file access attempts.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-11072 is a HIGH severity vulnerability allowing unauthenticated attackers to read arbitrary files on servers running the MelAbu WP Download Counter Button plugin due to insufficient path validation.
You are affected if you are using the MelAbu WP Download Counter Button plugin versions 0.0 through 1.8.6.7. Upgrade to a patched version as soon as it's available.
Upgrade the MelAbu WP Download Counter Button plugin to the latest available version. As a temporary workaround, disable the plugin or restrict file system permissions.
As of 2025-11-05, there are no known public exploits, but it's crucial to apply the patch promptly to prevent potential exploitation.
Check the official MelAbu WP Download Counter Button plugin website and WordPress plugin repository for updates and security advisories related to CVE-2025-11072.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.