CVE-2025-11701 is a vulnerability identified in the Zip Attachments plugin for WordPress, developed by quicoto. The issue stems from a missing capability check and lack of validation of post status within the za_create_zip_callback function. This function is responsible for generating zip files of attachments linked to WordPress posts. Due to the absence of authorization controls, unauthenticated attackers can exploit this flaw to download attachments associated with private or password-protected posts, which should normally be inaccessible without proper permissions. The vulnerability affects all versions of the plugin up to and including version 1.6. The CVSS v3.1 base score is 5.3, reflecting a medium severity level. The vector indicates that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality loss (C:L), with no impact on integrity or availability. No patches or exploit code are currently publicly available, but the vulnerability is published and assigned by Wordfence. The underlying weakness is categorized under CWE-862 (Missing Authorization), highlighting a failure to enforce proper access controls. This vulnerability could be leveraged by attackers to access sensitive or confidential files, potentially leading to data leaks or exposure of private information stored in attachments.

The primary impact of CVE-2025-11701 is unauthorized disclosure of sensitive data contained in attachments linked to private or password-protected WordPress posts. Organizations using the Zip Attachments plugin are at risk of data leakage, which could include confidential documents, proprietary information, or personally identifiable information (PII). This breach of confidentiality can damage organizational reputation, lead to regulatory compliance violations (such as GDPR or HIPAA), and expose the organization to further targeted attacks. Since the vulnerability does not affect data integrity or availability, it does not enable attackers to modify content or disrupt services directly. However, the ease of exploitation without authentication or user interaction increases the risk profile, as attackers can automate scanning and exploitation at scale. The scope includes any WordPress site running the vulnerable plugin versions, which may be widespread given WordPress's global popularity. Although no known exploits are currently in the wild, the public disclosure increases the likelihood of future exploitation attempts.

To mitigate CVE-2025-11701, organizations should immediately update the Zip Attachments plugin to a patched version once it becomes available from the vendor. In the absence of an official patch, administrators can implement temporary mitigations such as restricting access to the plugin’s zip generation functionality via web application firewall (WAF) rules or IP whitelisting to trusted users only. Reviewing and tightening WordPress user roles and permissions can reduce exposure. Additionally, disabling or removing the Zip Attachments plugin if it is not essential can eliminate the risk. Monitoring web server logs for unusual requests targeting the zip creation endpoint can help detect exploitation attempts. Security teams should also conduct audits of private and password-protected posts to ensure no sensitive attachments are unnecessarily exposed. Finally, organizations should maintain regular backups and have an incident response plan ready in case of data exposure.