CVE-2025-11072
Description
The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The MelAbu WP Download Counter Button plugin up to 1.8.6.7 lacks path validation, allowing unauthenticated arbitrary file download.
The MelAbu WP Download Counter Button plugin for WordPress, through version 1.8.6.7, fails to properly validate the path of files requested for download. This missing validation of the file path means the plugin does not restrict which files can be accessed via its download functionality.
An unauthenticated attacker can exploit this vulnerability by sending a crafted request to the plugin's download handler, specifying a path to an arbitrary file on the server. No authentication is required, and the attack does not require any special privileges or user interaction.
Successful exploitation allows an attacker to read and download arbitrary files from the server, including sensitive files such as wp-config.php, which contains database credentials and other critical configuration data. This could lead to complete site compromise if combined with other attacks.
As of the publication date, no fix is available [1]. The plugin has been publicly disclosed and added to the WPScan vulnerability database. Users are advised to remove the plugin until a patched version is released.
## References - [1] WPScan Advisory
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.8.6.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.