Description
The Document Library Lite plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 1.1.6. This is due to the plugin exposing an unauthenticated AJAX action dll_load_posts which returns a JSON table of document data without performing nonce or capability checks. The handler accepts an attacker-controlled args array where the status option explicitly allows draft, pending, future, and any. This makes it possible for unauthenticated attackers to retrieve unpublished document titles and content via the AJAX endpoint.
Published: 2025-11-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of unpublished document titles and content
Action: Apply patch
AI Analysis

Impact

The Document Library Lite plugin for WordPress contains an Improper Authorization flaw that allows unauthenticated users to call the AJAX action dll_load_posts. Because this action skips nonce validation and capability checks, it returns a JSON table of document data that can include unpublished documents. The handler accepts a status argument that can be set to draft, pending, future, or any, meaning that attackers can retrieve the titles and contents of documents that have not been published. This flaw is categorized as CWE‑285.

Affected Systems

All WordPress sites running the Document Library Lite plugin version 1.1.6 or earlier are vulnerable. The plugin is maintained by barn2media and serves as a file and document gallery for WordPress installations. Users should confirm the installed version and note that any release before 1.1.7 contains the issue.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the moderate range, and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is an unauthenticated AJAX request that requires no credentials, meaning anyone who can reach the site can trigger the vulnerability. While the impact is limited to information disclosure, it is still a concern for sites handling sensitive or confidential documents. The risk is moderate, mitigated by the low EPSS, but the flaw should be addressed promptly to prevent accidental or targeted data leakage.

Generated by OpenCVE AI on April 27, 2026 at 23:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Document Library Lite plugin to a version released after 1.1.6, which incorporates the necessary authorization checks for the dll_load_posts action.
  • If an upgrade is not immediately possible, modify the plugin's Ajax_Handler class to enforce a capability check, such as verifying that the current user has the "read" capability, before executing dll_load_posts.
  • After applying a fix or blocking the endpoint, perform a quick scan for unauthorized AJAX calls to confirm that the vulnerability is no longer exploitable.

Generated by OpenCVE AI on April 27, 2026 at 23:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 03 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 01 Nov 2025 02:00:00 +0000

Type Values Removed Values Added
Description The Document Library Lite plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 1.1.6. This is due to the plugin exposing an unauthenticated AJAX action dll_load_posts which returns a JSON table of document data without performing nonce or capability checks. The handler accepts an attacker-controlled args array where the status option explicitly allows draft, pending, future, and any. This makes it possible for unauthenticated attackers to retrieve unpublished document titles and content via the AJAX endpoint.
Title Document Library Lite <= 1.1.6 - Missing Authorization to Sensitive Information Exposure
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:41.484Z

Reserved: 2025-09-29T18:05:00.817Z

Link: CVE-2025-11174

cve-icon Vulnrichment

Updated: 2025-11-03T18:57:06.982Z

cve-icon NVD

Status : Deferred

Published: 2025-11-01T02:15:31.847

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:45:15Z

Weaknesses