Skip to main content

Download Attachments EUVDEUVD-2026-20255

| CVE-2026-39616 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-08 Patchstack GHSA-4rmh-5mvp-v2g7
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 15:25 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20255
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0.

AnalysisAI

Authorization bypass in dFactory Download Attachments WordPress plugin versions up to 1.4.0 allows unauthenticated remote attackers to modify file access controls through user-controlled keys, enabling unauthorized file access or manipulation. The vulnerability exploits incorrectly configured access control security levels via an insecure direct object reference (IDOR) mechanism. With EPSS score of 0.02% and no confirmed active exploitation, this poses minimal immediate risk despite network-accessible attack surface.

Technical ContextAI

The Download Attachments plugin for WordPress implements access control through user-supplied key parameters rather than server-side session or role-based validation. CWE-639 (Authorization Bypass Through User-Controlled Key) indicates the root cause: the application accepts client-side input to make access control decisions without proper validation or authorization checks. The plugin likely uses predictable or tamperable identifiers (keys) to determine which files a user can access, allowing attackers to bypass intended access restrictions by modifying these parameters. This is a classic IDOR vulnerability pattern where the plugin fails to verify that the authenticated user (or in this case, any user) is actually authorized to access the requested resource.

RemediationAI

Update the Download Attachments plugin to a version newer than 1.4.0 immediately if available through the WordPress admin panel or the official plugin repository. If no patched version is currently available, disable the plugin or restrict access to it via web server configuration until a fix is released by dFactory. Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39616 for additional context. Verify that any custom integrations or custom code do not rely on the vulnerable plugin's access control mechanisms.

Share

EUVD-2026-20255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy