The Media Library Downloader plugin version 1.3.1 and earlier lack proper authorization checks, allowing an attacker to retrieve any media file stored in the WordPress media library without authentication. The flaw stems from incorrectly configured access control security levels, effectively enabling blind read operations. This results in potential data disclosure of proprietary or sensitive media assets, but does not provide direct code execution or system compromise.

The vulnerability affects the WordPress "Media Library Downloader" plugin from vendors identified as M.Code, with affected versions ranging from the earliest release through 1.3.1. Users who have installed or are still using any of those versions on a WordPress site are exposed.

The CVSS base score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation at this time. Because the issue is not listed in the CISA KEV catalog and, based on the description, the likely attack vector is web‑based rather than local or privileged, the overall risk remains limited but non‑zero. An attacker could exploit the vulnerability remotely by crafting a URL that points to a media file and accessing it without credentials, provided the site has the vulnerable plugin installed. The lack of penetration into the server or execution of arbitrary code limits the impact to data exposure only.