CVE-2025-14633 identifies a missing authorization vulnerability (CWE-862) in the niao70 F70 Lead Document Download plugin for WordPress, present in all versions up to and including 1.4.4. The vulnerability stems from the absence of a capability check within the 'file_download' function, which is responsible for serving files from the WordPress media library. This omission allows unauthenticated attackers to bypass access controls and download arbitrary files by guessing or enumerating WordPress attachment IDs. Since WordPress attachment IDs are sequential and predictable, attackers can systematically retrieve sensitive documents stored in the media library without any credentials or user interaction. The vulnerability affects confidentiality by exposing potentially sensitive files but does not impact data integrity or system availability. The attack vector is network-based with low attack complexity and no privileges required, making exploitation feasible for remote adversaries. Although no public exploits have been reported yet, the vulnerability's nature suggests it could be leveraged for data leakage or reconnaissance. The plugin is used primarily on WordPress sites that require document downloads, which may include corporate, governmental, or educational institutions. The lack of a patch link indicates that a fix may not yet be available, emphasizing the need for interim mitigations. The CVSS 3.1 base score of 5.3 reflects a medium severity rating, driven by the ease of exploitation and confidentiality impact.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive or confidential documents stored in WordPress media libraries. Organizations that use the F70 Lead Document Download plugin to distribute internal reports, contracts, or personal data could inadvertently expose this information to attackers. This could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential financial penalties. The impact is particularly significant for sectors handling sensitive personal data such as healthcare, finance, and government agencies. Since the vulnerability does not affect data integrity or availability, the primary concern is confidentiality loss. The ease of exploitation without authentication increases the risk of opportunistic attacks and automated scanning by threat actors. European organizations with public-facing WordPress sites using this plugin are at heightened risk, especially if they have not implemented compensating controls or network segmentation to protect media files.

1. Monitor the plugin vendor’s official channels for patches and apply updates promptly once available. 2. In the absence of an official patch, restrict access to the WordPress media library directory via web server configuration (e.g., .htaccess rules or NGINX directives) to limit file downloads to authorized users or IP ranges. 3. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious requests attempting to enumerate attachment IDs or access the 'file_download' endpoint. 4. Audit and minimize the number of sensitive files stored in the media library; consider storing confidential documents outside the web root or in protected repositories. 5. Enable detailed logging and monitor for unusual download patterns or spikes in media file access. 6. Educate site administrators about the risks of unauthorized file access and encourage regular security reviews of plugins and their configurations. 7. Consider disabling or replacing the F70 Lead Document Download plugin with alternatives that enforce proper authorization checks.