CVE-2025-11692: CWE-862 Missing Authorization in quicoto Zip Attachments
The Zip Attachments plugin for WordPress is vulnerable to unauthorized loss of data due to a missing authorization and capability checks on the download.php file in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to delete arbitrary files from the current wp_upload_dir directory.
AI Analysis
Technical Summary
The Zip Attachments plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) in the download.php script in all versions up to 1.6. This flaw permits unauthenticated attackers to delete arbitrary files located in the WordPress uploads directory (wp_upload_dir) because the plugin fails to verify user permissions before processing deletion requests. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. There is no indication of confidentiality or availability impact, only integrity loss due to unauthorized file deletion. No known exploits are reported in the wild, and no patch or official fix is currently documented.
Potential Impact
An attacker can delete arbitrary files within the WordPress uploads directory without authentication, resulting in unauthorized data loss and integrity compromise. There is no impact on confidentiality or availability according to the CVSS vector and description. This could disrupt website functionality or cause loss of uploaded media or documents stored in the affected directory.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the download.php file and the uploads directory through web server configuration or other access controls to prevent unauthorized deletion. Monitoring for unusual file deletions and limiting plugin usage may also reduce risk.
CVE-2025-11692: CWE-862 Missing Authorization in quicoto Zip Attachments
Description
The Zip Attachments plugin for WordPress is vulnerable to unauthorized loss of data due to a missing authorization and capability checks on the download.php file in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to delete arbitrary files from the current wp_upload_dir directory.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Zip Attachments plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) in the download.php script in all versions up to 1.6. This flaw permits unauthenticated attackers to delete arbitrary files located in the WordPress uploads directory (wp_upload_dir) because the plugin fails to verify user permissions before processing deletion requests. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. There is no indication of confidentiality or availability impact, only integrity loss due to unauthorized file deletion. No known exploits are reported in the wild, and no patch or official fix is currently documented.
Potential Impact
An attacker can delete arbitrary files within the WordPress uploads directory without authentication, resulting in unauthorized data loss and integrity compromise. There is no impact on confidentiality or availability according to the CVSS vector and description. This could disrupt website functionality or cause loss of uploaded media or documents stored in the affected directory.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the download.php file and the uploads directory through web server configuration or other access controls to prevent unauthorized deletion. Monitoring for unusual file deletions and limiting plugin usage may also reduce risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-13T15:38:53.449Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68ef5c7ec4f69c9730e56a09
Added to database: 10/15/2025, 8:34:06 AM
Last enriched: 4/9/2026, 9:07:15 AM
Last updated: 5/10/2026, 5:28:05 AM
Views: 192
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.