CVE-2025-11072 is a path traversal vulnerability classified under CWE-22 found in the MelAbu WP Download Counter Button WordPress plugin versions through 1.8.6.7. The vulnerability arises because the plugin fails to properly validate or sanitize the file paths requested for download, allowing an attacker to manipulate the pathname parameter to access files outside the intended directory. This lack of restriction enables unauthenticated attackers to read arbitrary files on the web server, potentially exposing sensitive configuration files, credentials, or other private data. The vulnerability is remotely exploitable over the network without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.3, reflecting a medium severity with a vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and impact limited to confidentiality loss. No known public exploits have been reported yet, but the flaw represents a significant risk if weaponized. The plugin is used in WordPress environments, which are widely deployed globally, including Europe. The vulnerability's exploitation could lead to data leakage, which may facilitate further attacks or compromise organizational confidentiality.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive files hosted on WordPress servers using the affected plugin. Exposure of configuration files, credentials, or proprietary information could lead to further compromise, including privilege escalation or lateral movement within networks. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk due to the sensitivity of their data. The vulnerability does not directly affect system integrity or availability, but the confidentiality breach could have regulatory and reputational consequences, especially under GDPR requirements. Since the exploit requires no authentication and can be performed remotely, the attack surface is broad. Organizations with public-facing WordPress sites using this plugin are vulnerable, and the impact could be amplified if combined with other vulnerabilities or misconfigurations.

1. Monitor for and apply security patches or updates from the plugin vendor as soon as they become available to fix the path traversal flaw. 2. In the absence of an official patch, consider temporarily disabling or removing the MelAbu WP Download Counter Button plugin to eliminate exposure. 3. Restrict file system permissions on the web server to limit access to sensitive files, ensuring the web server user cannot read files outside intended directories. 4. Implement Web Application Firewalls (WAFs) with rules to detect and block path traversal attempts, such as requests containing '../' sequences or encoded variants. 5. Conduct regular security audits and vulnerability scans on WordPress installations to identify outdated or vulnerable plugins. 6. Employ strict input validation and sanitization practices for any custom code handling file downloads. 7. Educate site administrators on the risks of installing unverified plugins and encourage use of plugins with strong security track records. 8. Maintain comprehensive logging and monitoring to detect suspicious access patterns indicative of exploitation attempts.