CVE-2025-54743

Vulnerability

Overview The Download After Email plugin for WordPress (versions 2.1.2 through 2.1.6) suffers from a missing authorization vulnerability. This issue stems from improperly configured access control security levels, which fail to enforce proper checks on certain functionalities [1]. The vulnerability is classified as an 'Other Vulnerability Type' with a CVSS v3 base score of 5.8 (Medium), indicating a moderate security risk [1].

Exploitation

Details An attacker can exploit this vulnerability by sending crafted requests to the vulnerable plugin without requiring any authentication [1]. The attack is performed over a network and has low attack complexity, meaning no special conditions or prerequisites are needed. The missing authorization allows the attacker to interact with plugin features that should be restricted, enabling them to manipulate or access protected resources [1].

Impact

Assessment Successful exploitation could allow an attacker to perform unauthorized actions, such as accessing or modifying files that should be protected by access controls. While the impact on confidentiality and integrity is considered partial, the attacker could potentially affect the integrity of data or configurations [1]. The vulnerability is noted to be used in mass-exploit campaigns, targeting thousands of websites regardless of size or popularity [1].

Mitigation

Status The patch is not available via a direct update from the plugin vendor. Users are strongly advised to update the plugin immediately if a patched version becomes available. As a temporary measure, contacting the hosting provider or web developer assistance should be sought to apply temporary workarounds if immediate updating is not possible [1]. The vulnerability does not appear on the CISA Known Exploited Vulnerabilities catalog as of this writing.