Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0.
AnalysisAI
Authorization bypass in dFactory Download Attachments WordPress plugin versions up to 1.4.0 allows unauthenticated remote attackers to modify file access controls through user-controlled keys, enabling unauthorized file access or manipulation. The vulnerability exploits incorrectly configured access control security levels via an insecure direct object reference (IDOR) mechanism. With EPSS score of 0.02% and no confirmed active exploitation, this poses minimal immediate risk despite network-accessible attack surface.
Technical ContextAI
The Download Attachments plugin for WordPress implements access control through user-supplied key parameters rather than server-side session or role-based validation. CWE-639 (Authorization Bypass Through User-Controlled Key) indicates the root cause: the application accepts client-side input to make access control decisions without proper validation or authorization checks. The plugin likely uses predictable or tamperable identifiers (keys) to determine which files a user can access, allowing attackers to bypass intended access restrictions by modifying these parameters. This is a classic IDOR vulnerability pattern where the plugin fails to verify that the authenticated user (or in this case, any user) is actually authorized to access the requested resource.
RemediationAI
Update the Download Attachments plugin to a version newer than 1.4.0 immediately if available through the WordPress admin panel or the official plugin repository. If no patched version is currently available, disable the plugin or restrict access to it via web server configuration until a fix is released by dFactory. Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39616 for additional context. Verify that any custom integrations or custom code do not rely on the vulnerable plugin's access control mechanisms.
More in Download Attachments
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20255
GHSA-4rmh-5mvp-v2g7