Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in maennchen1.de m1.DownloadList m1downloadlist allows Retrieve Embedded Sensitive Data.This issue affects m1.DownloadList: from n/a through <= 0.24.
Published: 2025-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the WordPress m1.DownloadList plugin when an attacker can retrieve embedded sensitive data that may include system credentials or other private information. The weakness, classified as CWE‑497, permits the exposed data to be accessed by unauthenticated users, creating a sensitive data exposure issue.

Affected Systems

WordPress sites that have the m1.DownloadList plugin installed on versions 0.24 or earlier from the developer maennchen1.de. The plugin’s files and endpoints are publicly reachable for anyone who can trigger the plugin’s pages, providing direct access to the sensitive information without authentication checks.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% reflects a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is through the plugin’s publicly exposed pages or URLs, meaning any visitor to the site could trigger the data extraction without elevated privileges.

Generated by OpenCVE AI on May 1, 2026 at 11:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the m1.DownloadList plugin to a version newer than 0.24 that addresses the sensitive data exposure flaw.
  • Restrict direct access to the plugin’s internal files and directories using web server configuration or .htaccess rules, ensuring only legitimate plugin execution paths are accessible.
  • If the plugin is not essential for site functionality, remove or deactivate it completely to eliminate the exposure point.

Generated by OpenCVE AI on May 1, 2026 at 11:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10260 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in maennchen1.de m1.DownloadList. This issue affects m1.DownloadList: from n/a through 0.21.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in maennchen1.de m1.DownloadList. This issue affects m1.DownloadList: from n/a through 0.21. Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in maennchen1.de m1.DownloadList m1downloadlist allows Retrieve Embedded Sensitive Data.This issue affects m1.DownloadList: from n/a through <= 0.24.
Title WordPress m1.DownloadList plugin <= 0.21 - Sensitive Data Exposure vulnerability WordPress m1.DownloadList plugin <= 0.24 - Sensitive Data Exposure vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 09 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 08 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in maennchen1.de m1.DownloadList. This issue affects m1.DownloadList: from n/a through 0.21.
Title WordPress m1.DownloadList plugin <= 0.21 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:17.730Z

Reserved: 2025-04-04T10:01:05.032Z

Link: CVE-2025-32164

cve-icon Vulnrichment

Updated: 2025-04-09T13:24:14.415Z

cve-icon NVD

Status : Deferred

Published: 2025-04-08T17:15:39.143

Modified: 2026-04-23T15:28:40.717

Link: CVE-2025-32164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:15:15Z

Weaknesses