An authorization bypass in the dFactory Download Attachments plugin occurs when a user can construct a request that references files they are not permitted to download. This flaw allows confidential attachments to be exposed, effectively compromising the confidentiality of protected content. The weakness is a classic Insecure Direct Object Reference, classified as CWE‑639.

This issue affects the WordPress plugin dFactory Download Attachments in every release up to and including version 1.4.0. Site administrators whose sites run this plugin should verify whether they host sensitive attachments that could be accessed through the download interface.

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly confirmed exploits are currently known. The likely attack vector is inferred from the description as the manipulation of the download key or URL parameter that the plugin uses to locate files. If an attacker discovers a valid key, they can download any attachment that the plugin believes they own, requiring only basic knowledge of the plugin’s filename mapping. This could lead to unsolicited disclosure of private data from the affected WordPress site.