Skip to main content

Download Attachments

2 CVEs product

Monthly

CVE-2026-39616 MEDIUM This Month

Authorization bypass in dFactory Download Attachments WordPress plugin versions up to 1.4.0 allows unauthenticated remote attackers to modify file access controls through user-controlled keys, enabling unauthorized file access or manipulation. The vulnerability exploits incorrectly configured access control security levels via an insecure direct object reference (IDOR) mechanism. With EPSS score of 0.02% and no confirmed active exploitation, this poses minimal immediate risk despite network-accessible attack surface.

Authentication Bypass Download Attachments
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2023-0076 MEDIUM This Month

The Download Attachments WordPress plugin before 1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Download Attachments
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in dFactory Download Attachments WordPress plugin versions up to 1.4.0 allows unauthenticated remote attackers to modify file access controls through user-controlled keys, enabling unauthorized file access or manipulation. The vulnerability exploits incorrectly configured access control security levels via an insecure direct object reference (IDOR) mechanism. With EPSS score of 0.02% and no confirmed active exploitation, this poses minimal immediate risk despite network-accessible attack surface.

Authentication Bypass Download Attachments
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Download Attachments WordPress plugin before 1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Download Attachments
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy