Description
The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files.
Published: 2025-11-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file download
Action: Patch
AI Analysis

Impact

The vulnerability in the MelAbu WP Download Counter Button plugin allows an attacker with no authentication to request arbitrary files from the server. The plugin fails to validate the file path supplied in the download request, which effectively turns it into a path traversal flaw. An attacker could read sensitive configuration files, source code or other private data that resides on the same web root, compromising confidentiality.

Affected Systems

WordPress sites running the MelAbu WP Download Counter Button plugin version 1.8.6.7 or earlier are affected. No other vendors or product versions were identified in the CNA report.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. The EPSS score of less than 1% points to a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw permits unauthenticated reading of arbitrary files via a web request, it is best addressed through a patch or the stated workaround. The likely attack vector is a web-based HTTP request targeting the plugin’s download endpoint.

Generated by OpenCVE AI on April 27, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MelAbu WP Download Counter Button plugin to the latest supported version (1.8.6.8 or later) where path validation has been added.
  • If an upgrade cannot be performed immediately, disable the download functionality for unauthenticated users in the plugin settings or block the download endpoint with access control rules, such as an .htaccess rule that requires authentication.
  • Implement a temporary code change that limits the download path to a specific whitelist of directories or file types, preventing traversal outside the intended download folder.

Generated by OpenCVE AI on April 27, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-22

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 05 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 06:15:00 +0000

Type Values Removed Values Added
Description The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files.
Title Download Counter Button <= 1.8.6.7 - Unauthenticated Arbitrary File Download
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:51.115Z

Reserved: 2025-09-26T12:49:05.710Z

Link: CVE-2025-11072

cve-icon Vulnrichment

Updated: 2025-11-05T18:34:40.753Z

cve-icon NVD

Status : Deferred

Published: 2025-11-05T06:15:32.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:00:13Z

Weaknesses