The Document Library Lite plugin for WordPress, up to and including version 1.1.6, contains an improper authorization vulnerability identified as CVE-2025-11174 (CWE-285). The root cause is the exposure of an unauthenticated AJAX action named dll_load_posts, which returns a JSON-formatted table of document data without performing any nonce verification or capability checks. This means that any unauthenticated user can invoke this AJAX endpoint remotely. The handler accepts an attacker-controlled 'args' array, where the 'status' option can be set to values such as 'draft', 'pending', 'future', or 'any'. These statuses correspond to unpublished or non-public documents. By exploiting this, an attacker can retrieve titles and content of documents that are not yet published, thus bypassing intended access restrictions. The vulnerability affects all versions of the plugin up to 1.1.6, with no patch currently linked. The CVSS v3.1 base score is 5.3, reflecting a medium severity primarily due to confidentiality impact without integrity or availability compromise. The attack vector is network-based, requires no privileges, and no user interaction, making it relatively easy to exploit. However, no known active exploits have been reported in the wild as of the publication date.

This vulnerability primarily impacts the confidentiality of unpublished documents managed by the Document Library Lite plugin on WordPress sites. Unauthorized disclosure of draft or pending documents can lead to information leakage, potentially exposing sensitive or proprietary content before intended publication. This can harm organizations by revealing internal plans, intellectual property, or sensitive data to competitors or malicious actors. While the vulnerability does not affect data integrity or system availability, the exposure of unpublished content can damage reputation and trust. Since the vulnerability requires no authentication and can be exploited remotely, any WordPress site using the affected plugin version is at risk. Attackers could automate data harvesting at scale, increasing the risk of widespread information leakage. Organizations relying on this plugin for document management should consider the sensitivity of their unpublished content and the potential consequences of its exposure.

Organizations should immediately upgrade the Document Library Lite plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should restrict access to the AJAX endpoint by implementing server-level controls such as IP whitelisting or web application firewall (WAF) rules to block unauthenticated requests to dll_load_posts. Additionally, custom code can be added to enforce nonce verification and capability checks before processing AJAX requests. Site owners should audit their document libraries to identify any sensitive unpublished content and consider temporarily removing or restricting access to such documents until the vulnerability is remediated. Monitoring web server logs for suspicious AJAX requests targeting dll_load_posts can help detect exploitation attempts. Finally, maintaining regular backups and applying the principle of least privilege to WordPress roles can reduce risk exposure.