An IDOR flaw exists in the dFactory Download Attachments plugin for WordPress that permits an attacker to manipulate a user‑controlled key, bypassing the intended access control and retrieving any attachment the website owner has stored. The vulnerability stems from improperly enforced security levels, allowing read access to resources that should be restricted to authorized users only. This creates a severe threat to confidentiality, because an unauthenticated or low‑privileged user can obtain private files, and it compromises integrity if the attacker can replace or tamper with attachments. The primary impact is an authorization bypass with potentially widespread access across the site.

WordPress sites that use the dFactory Download Attachments plugin, versions up to and including 1.4.0. The problem exists in all installable releases where the plugin is present, as the code path is not guarded by proper role checks. Users should identify whether they run any version in the affected range and note that any installation of the plugin before 1.4.1 is vulnerable.

The CVSS score is not supplied, but the defect allows direct access to user data via a direct object reference, indicating high severity. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. However, attackers can exploit this weakness using crafted URLs or parameters, which typically requires only knowledge of the site structure and is feasible over an exposed network. The absence of advanced authentication checks means that the attack does not need elevated privileges, making the risk significant for any site with public or limited user access.