Description
The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs.
Published: 2025-12-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Media Files
Action: Apply Patch
AI Analysis

Impact

The plugin’s file_download function lacks a capability check, allowing any user without authentication to request files from the WordPress media library by guessing attachment IDs. This enables download of arbitrary media files, compromising the confidentiality of stored content.

Affected Systems

The vulnerability exists in the WordPress plugin F70 Lead Document Download for all released versions up to and including 1.4.4. Sites running these versions with the plugin active are susceptible if the function can be called externally.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The issue is not listed in the CISA KEV catalog. Attackers can trigger the flaw remotely by directing any visitor to the file download endpoint; the missing check is the prerequisite for successful exploitation.

Generated by OpenCVE AI on April 20, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the F70 Lead Document Download plugin to the latest available version that implements a proper capability check for the file_download action.
  • If no newer version exists, replace the plugin with an alternative that enforces authorization before file access, or remove the plugin entirely if the feature is unnecessary.
  • Ensure that all other plugins or custom code on the site perform capability checks on media file access to prevent similar unauthorized download vectors.

Generated by OpenCVE AI on April 20, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 20 Dec 2025 03:30:00 +0000

Type Values Removed Values Added
Description The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs.
Title F70 Lead Document Download <= 1.4.4 - Missing Authorization to Unauthenticated Arbitrary Media File Download
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:32.758Z

Reserved: 2025-12-12T22:11:21.919Z

Link: CVE-2025-14633

cve-icon Vulnrichment

Updated: 2025-12-22T20:32:37.247Z

cve-icon NVD

Status : Deferred

Published: 2025-12-20T04:16:08.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses