The Download Counter plugin for WordPress contains an Improper Limitation of a Pathname to a Restricted Directory flaw (CWE‑22). A victim who visits a specially crafted URL can trigger the plugin’s download handler to read and download any file the web server can access. Based on the description, it is inferred that an attacker can exfiltrate sensitive configuration files, passwords, or other confidential data, satisfying a high confidentiality impact. The CVSS score of 7.5 indicates a moderate‑to‑high severity, while the EPSS score of < 1 % signals a low but non‑zero likelihood of exploitation.

This issue affects all installations of the WordPress Download Counter plugin version 1.4 and earlier, authored by Anatoly. No further sub‑revision information is provided, so any deployment of the affected plugin family is considered at risk.

Because the vulnerability is triggered by constructing a malicious request to the plugin’s download endpoint, it can be abused with remote access to the WordPress site without requiring privilege escalation. The attack vector is most likely remote web-based. The EPSS score of < 1 % indicates a low exploitation probability, and the vulnerability is not listed in CISA KEV. Nevertheless, the high CVSS rating warrants prompt mitigation.