CVE-2025-68850 - Vulnerability Details

- WordPress Sell Downloads plugin <= 1.1.12 - Broken Access Control vulnerability

Description

Missing Authorization vulnerability in codepeople Sell Downloads sell-downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through <= 1.1.12.

Published: 2026-01-05

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The issue is a missing authorization flaw in the WordPress Sell Downloads plugin from codepeople, described as "Missing Authorization vulnerability". It allows an attacker to exploit incorrectly configured access control security levels. The primary impact is that users without sufficient privileges can potentially access protected download content or administrative functions, violating confidentiality and availability of the site. The weakness is classified as CWE-862, which is a missing authorization error.

Affected Systems

The vulnerability affects the Sell Downloads plugin by codepeople for WordPress, versions from the earliest listed through 1.1.12. Any site running a vulnerable version should identify the installed plugin version and plan an upgrade.

Risk and Exploitability

With a CVSS score of 7.5 the flaw is moderately high in severity. The EPSS score of less than 1% indicates a low likelihood of public exploitation at present, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the most likely attack vector is an unauthenticated or low‑privilege user accessing or creating requests that bypass the plugin’s intended security checks, leading to unauthorized download of protected files or modification of purchase data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

codepeople

Sell Downloads

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.12

No data.

Vendor	Product	Confidence	Versions
Codepeople	Sell Downloads	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Sell Downloads plugin to the latest available version from the official WordPress repository or the vendor’s site.
Verify that the plugin’s administrative screens are only accessible to users with the required capabilities, such as manage_options, and adjust role permissions accordingly.
Restrict the plugin’s functionality to administrators by using a role‑management plugin or by disabling it for other roles.
Continuously monitor site logs for unexpected access to the plugin’s download or purchase endpoints and apply additional filtering if abnormal activity is detected.

Generated by OpenCVE AI on April 29, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve

History

Wed, 29 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12.	Missing Authorization vulnerability in codepeople Sell Downloads sell-downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through <= 1.1.12.
References	https://patchstack.com/database/wordpress/plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/wordpress/plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/wordpress/plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve

Tue, 06 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 06 Jan 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Codepeople Codepeople sell Downloads Wordpress Wordpress wordpress
Vendors & Products		Codepeople Codepeople sell Downloads Wordpress Wordpress wordpress

Mon, 05 Jan 2026 11:00:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12.
Title		WordPress Sell Downloads plugin <= 1.1.12 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://vdp.patchstack.com/database/wordpress/plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Codepeople Sell Downloads

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-01-05T10:43:35.490Z

Updated: 2026-04-29T09:51:56.662Z

Reserved: 2025-12-24T14:00:10.433Z

Link: CVE-2025-68850

Vulnrichment

Updated: 2026-01-06T15:47:18.613Z

NVD

Status : Deferred

Published: 2026-01-05T11:17:42.120

Modified: 2026-04-29T10:16:53.290

Link: CVE-2025-68850

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T22:00:07Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object