CVE-2025-11692 is a vulnerability identified in the quicoto Zip Attachments plugin for WordPress, affecting all versions up to and including 1.6. The core issue is a missing authorization and capability check in the download.php script, which handles file downloads related to the plugin's functionality. This flaw allows unauthenticated attackers to send crafted requests to download.php and delete arbitrary files located within the WordPress uploads directory (wp_upload_dir). The vulnerability is categorized under CWE-862 (Missing Authorization) and does not require any authentication or user interaction, making it remotely exploitable over the network. The impact is primarily on integrity, as attackers can delete files, potentially disrupting website content, media assets, or other uploaded data. Confidentiality and availability are not directly affected, and no known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 5.3, reflecting medium severity due to the ease of exploitation but limited impact scope. The vulnerability poses a risk to websites relying on this plugin, especially those with publicly accessible upload directories, as attackers could remove critical files, causing operational disruptions or data loss. The lack of patches at the time of reporting necessitates immediate mitigation steps to prevent exploitation.

For European organizations, this vulnerability could lead to unauthorized deletion of files within WordPress upload directories, potentially disrupting website operations, damaging media content, or causing loss of user-uploaded data. Organizations relying on WordPress sites with the quicoto Zip Attachments plugin are at risk of integrity breaches that could affect customer trust and business continuity. While the vulnerability does not directly expose sensitive data or cause denial of service, the ability to delete arbitrary files can result in significant operational challenges, especially for e-commerce, media, and content-heavy websites. The ease of exploitation without authentication increases the threat level, as attackers can remotely target vulnerable sites. European entities with strict data protection and operational resilience requirements may face compliance and reputational risks if such attacks lead to data loss or service interruptions.

1. Monitor official channels for patches or updates from the quicoto plugin developers and apply them promptly once released. 2. Implement web application firewall (WAF) rules to restrict or block unauthorized access to download.php, limiting requests to trusted users or IP ranges where feasible. 3. Restrict file system permissions on the wp_upload_dir directory to minimize the impact of unauthorized file deletions. 4. Employ intrusion detection systems to monitor unusual deletion activities within upload directories. 5. Regularly back up WordPress site data, including uploads, to enable rapid recovery in case of file deletion. 6. Consider disabling or replacing the vulnerable plugin if immediate patching is not possible. 7. Conduct security audits on WordPress plugins to identify and remediate missing authorization issues proactively. 8. Educate site administrators about the risks of using outdated or unmaintained plugins and encourage timely updates.