Download Attachments
Monthly
Authorization bypass in dFactory Download Attachments WordPress plugin versions up to 1.4.0 allows unauthenticated remote attackers to modify file access controls through user-controlled keys, enabling unauthorized file access or manipulation. The vulnerability exploits incorrectly configured access control security levels via an insecure direct object reference (IDOR) mechanism. With EPSS score of 0.02% and no confirmed active exploitation, this poses minimal immediate risk despite network-accessible attack surface.
The Download Attachments WordPress plugin before 1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authorization bypass in dFactory Download Attachments WordPress plugin versions up to 1.4.0 allows unauthenticated remote attackers to modify file access controls through user-controlled keys, enabling unauthorized file access or manipulation. The vulnerability exploits incorrectly configured access control security levels via an insecure direct object reference (IDOR) mechanism. With EPSS score of 0.02% and no confirmed active exploitation, this poses minimal immediate risk despite network-accessible attack surface.
The Download Attachments WordPress plugin before 1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.