Impact
The WP Media folder Addon plugin for WordPress allows an attacker to download any file on the server when the plugin version is 4.0.1 or older. This flaw is an unauthenticated arbitrary file download vulnerability (CWE‑22). The attacker can target sensitive files such as configuration files, credentials or private data, leading to confidentiality breaches.
Affected Systems
The vulnerability affects installations of Joomunited's WP Media folder Addon plugin up to version 4.0.1. Users running these older plugin versions on any WordPress site are susceptible, regardless of network exposure.
Risk and Exploitability
The CVSS score of 7.5 reflects a high severity. The EPSS score is not available, so no current exploitation probability can be assigned, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is likely via a direct HTTP request to the plugin, which does not require authentication. Since the flaw allows unrestricted file access, it poses a significant threat if not patched.
OpenCVE Enrichment