CVE-2025-11701 is a vulnerability identified in the Zip Attachments plugin developed by quicoto for WordPress, affecting all versions up to and including 1.6. The vulnerability stems from a missing authorization check (CWE-862) and absence of post status validation within the za_create_zip_callback function. This function is responsible for creating ZIP archives of attachments linked to WordPress posts. Due to the lack of capability checks, unauthenticated attackers can invoke this function to download attachments associated with private or password-protected posts, bypassing intended access restrictions. The vulnerability does not require any user privileges or interaction, making it remotely exploitable over the network. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the vulnerability's impact on confidentiality without affecting integrity or availability. No known public exploits have been reported yet, but the potential for unauthorized data disclosure is significant, especially for websites hosting sensitive or confidential information. The plugin is popular among WordPress users who need to bundle attachments into ZIP files, increasing the potential attack surface. The vulnerability highlights the importance of proper authorization checks and validation of post status when handling protected content in plugins.

For European organizations, the primary impact is unauthorized disclosure of sensitive or confidential attachments stored within private or password-protected WordPress posts. This can lead to leakage of intellectual property, personal data subject to GDPR, or other regulated information, potentially resulting in compliance violations, reputational damage, and financial penalties. Since the vulnerability allows unauthenticated remote access, attackers can exploit it without needing credentials, increasing the risk of widespread data exposure. Organizations relying on WordPress for internal communications, document sharing, or client data management are particularly vulnerable. The lack of integrity or availability impact reduces the risk of service disruption but does not diminish the seriousness of confidentiality breaches. The absence of known exploits in the wild provides a window for proactive mitigation before active exploitation occurs.

1. Monitor for and apply security updates from the quicoto Zip Attachments plugin as soon as patches addressing CVE-2025-11701 are released. 2. Until patches are available, consider disabling or uninstalling the Zip Attachments plugin on WordPress sites that handle sensitive or private content. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the za_create_zip_callback function or related plugin endpoints. 4. Restrict access to WordPress administrative and plugin-related URLs using IP whitelisting or VPN access where feasible. 5. Review and tighten WordPress user roles and permissions to minimize exposure of private posts and attachments. 6. Conduct audits of private and password-protected posts to identify and secure sensitive attachments. 7. Employ logging and monitoring to detect unusual download activity from WordPress sites. 8. Educate site administrators about the risks of using plugins without proper authorization checks and encourage regular security assessments.