Description
The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to download attachments from private and password-protected posts.
Published: 2025-10-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure
Action: Update Plugin
AI Analysis

Impact

The Zip Attachments plugin for WordPress is vulnerable because the za_create_zip_callback function lacks a capability check and does not validate the post status. This missing protection allows any unauthenticated user to trigger the function and download attachments that belong to private or password-protected posts. The vulnerability directly exposes private content without modifying the integrity of the site, leading to confidential data leakage.

Affected Systems

Quicoto’s Zip Attachments plugin, all versions up to and including 1.6, is affected. Users running any of these versions are vulnerable unless the plugin has been patched or removed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation at the current time. The vulnerability is not listed in CISA’s KEV catalog, so no known widespread attacks have been reported. Based on the description, the likely attack vector is an unauthenticated HTTP request to the plugin’s zip endpoint. Attackers can download the ZIP file without any authentication or authorization checks, which circumvents the privacy controls of the site.

Generated by OpenCVE AI on April 21, 2026 at 02:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update (version 1.7 or newer) to restore the missing capability and post status checks.
  • If an update is not immediately possible, disable or remove the Zip Attachments plugin entirely to block the insecure endpoint.
  • As a temporary measure, configure the web server to block requests to the plugin’s callback URL (e.g., /zip-attachments.zip) for users without appropriate authentication headers.

Generated by OpenCVE AI on April 21, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 15 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to download attachments from private and password-protected posts.
Title Zip Attachments <= 1.6 - Missing Authorization to Unauthenticated Private And Password-Protected Posts Attachment Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:58.476Z

Reserved: 2025-10-13T18:11:22.225Z

Link: CVE-2025-11701

cve-icon Vulnrichment

Updated: 2025-10-15T13:24:24.036Z

cve-icon NVD

Status : Deferred

Published: 2025-10-15T09:15:42.910

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses