CVE-2025-11072 is a security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) found in the MelAbu WP Download Counter Button WordPress plugin, versions through 1.8.6.7. The vulnerability arises because the plugin does not properly validate or sanitize the file paths requested for download. This allows an unauthenticated attacker to craft specially designed requests that traverse directories on the server, enabling them to read or download arbitrary files outside the intended download directory. Since the flaw requires no authentication or user interaction, it can be exploited remotely over the network with low complexity. The vulnerability impacts the confidentiality of data stored on the server by potentially exposing sensitive files such as configuration files, credentials, or other private data. The CVSS v3.1 base score of 5.3 reflects a medium severity, primarily due to the lack of impact on integrity or availability and the absence of known active exploits. However, the exposure of sensitive files can lead to further attacks if leveraged by adversaries. The plugin is used within WordPress environments, which are widely deployed globally, increasing the potential attack surface. No official patches or fixes have been linked yet, so mitigation relies on configuration changes or disabling the vulnerable plugin until an update is available.

The primary impact of CVE-2025-11072 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. Attackers can access configuration files, database credentials, or other critical data stored on the web server, which can facilitate further compromise such as privilege escalation, data theft, or lateral movement within the network. For organizations, this can lead to data breaches, loss of customer trust, regulatory penalties, and operational disruptions. Since the vulnerability does not affect data integrity or availability, direct service disruption is unlikely. However, the exposure of sensitive files can indirectly enable more severe attacks. The ease of exploitation without authentication increases the risk, especially for publicly accessible WordPress sites using the affected plugin. Organizations relying on this plugin for download tracking should consider the confidentiality risks significant, particularly if sensitive files are stored on the same server.

1. Immediately disable or uninstall the MelAbu WP Download Counter Button plugin until a secure version is released. 2. Monitor official plugin repositories and vendor announcements for patches addressing CVE-2025-11072 and apply updates promptly. 3. Implement web application firewall (WAF) rules to detect and block path traversal attack patterns targeting the plugin endpoints. 4. Restrict file system permissions on the web server to limit access to sensitive files, ensuring the web server user cannot read unnecessary files. 5. Use security plugins or configurations that enforce strict input validation and sanitize user-supplied parameters. 6. Conduct regular security audits and vulnerability scans on WordPress installations to detect similar issues. 7. Educate site administrators about the risks of installing unverified plugins and encourage minimal plugin usage to reduce attack surface. 8. Consider isolating critical data and configuration files outside the web root or using environment variables to reduce exposure risk.