CVE-2025-11692 is a vulnerability identified in the Zip Attachments plugin developed by quicoto for WordPress, affecting all versions up to and including 1.6. The root cause is a missing authorization and capability check in the download.php script, which is responsible for handling file downloads related to zip attachments. Due to this missing security control, unauthenticated attackers can send crafted requests to download.php to delete arbitrary files located within the current WordPress uploads directory (wp_upload_dir). This directory typically contains user-uploaded media and other content, so unauthorized deletion can result in loss of important website data. The vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS v3.1 base score of 5.3, indicating a medium severity level. The attack vector is network-based, requiring no privileges or user interaction, making it relatively easy to exploit remotely. However, the impact is limited to integrity loss (file deletion) without affecting confidentiality or availability directly. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects the WordPress ecosystem, which powers a significant portion of the web, making it a relevant concern for many organizations relying on this plugin for managing zip attachments.

The primary impact of CVE-2025-11692 is unauthorized deletion of files within the WordPress uploads directory, which can lead to data loss, disruption of website media content, and potential degradation of user experience. While the vulnerability does not expose sensitive data or cause denial of service, the integrity compromise can affect website functionality, especially for sites relying heavily on media attachments managed by the plugin. For organizations, this could translate into operational disruptions, increased recovery costs, and reputational damage if critical content is lost or altered. Since exploitation requires no authentication and can be performed remotely, attackers can target vulnerable sites en masse, increasing the risk of widespread impact. However, the scope is limited to the files within the uploads directory, and the vulnerability does not allow for privilege escalation or broader system compromise.

To mitigate CVE-2025-11692, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators can implement the following specific measures: 1) Restrict direct access to the download.php file via web server configuration (e.g., using .htaccess rules or equivalent) to allow only authenticated users or trusted IP addresses. 2) Implement file integrity monitoring on the wp_upload_dir directory to detect unauthorized deletions or modifications quickly. 3) Regularly back up the uploads directory and website data to enable rapid restoration in case of file loss. 4) Review and harden WordPress file permissions to limit the plugin’s ability to delete files beyond its intended scope. 5) Monitor web server logs for suspicious requests targeting download.php or unusual file deletion patterns. 6) Consider disabling or replacing the Zip Attachments plugin if it is not essential or if no timely patch is available. These targeted mitigations go beyond generic advice by focusing on access control, monitoring, and recovery strategies specific to this vulnerability.