Description
Unauthenticated Arbitrary File Download in Premium Age Verification / Restriction for WordPress <= 3.0.2 versions.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains an unauthenticated arbitrary file download vulnerability that allows an attacker to specify arbitrary files on the server for download. This leads to disclosure of potentially sensitive configuration files, credentials, backup archives, or other private data, thereby compromising confidentiality.

Affected Systems

Affected are instances of the "Premium Age Verification / Restriction for WordPress" plugin developed by AA‑Team. Versions 3.0.2 and earlier are vulnerable because they lack proper validation of the file parameter. Any WordPress site running the plugin at or below the version 3.0.2 threshold is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level. The EPSS score is not provided, but the absence of a known KEV listing suggests that, while the vulnerability may not be widely exploited yet, it remains a serious risk. The attack vector is not explicitly documented in the description, but it can be inferred that an unauthenticated HTTP request to the plugin’s download endpoint could trigger the flaw. Consequently, administrators should treat this as a high‑risk vulnerability until a patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 12:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Premium Age Verification / Restriction for WordPress plugin to version 3.0.3 or later.
  • If an immediate update is not possible, disable the plugin or remove it from the site to eliminate the file download functionality.
  • Restrict file permissions on the server to prevent arbitrary file serving and scan the site for inadvertently exposed sensitive files.

Generated by OpenCVE AI on June 18, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Aa-team
Aa-team premium Age Verification Restriction For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Aa-team
Aa-team premium Age Verification Restriction For Wordpress
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Arbitrary File Download in Premium Age Verification / Restriction for WordPress <= 3.0.2 versions.
Title WordPress Premium Age Verification / Restriction for WordPress Plugin <= 3.0.2 - Arbitrary File Download Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Aa-team Premium Age Verification Restriction For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:24:50.601Z

Reserved: 2025-06-04T15:44:03.663Z

Link: CVE-2025-49403

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:45:03Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')