Home

Description

The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files.

PUBLISHED Reserved 2025-09-26 | Published 2025-11-05 | Updated 2025-11-05 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
affected

Any version
affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/538117c5-b04c-45fc-a953-6f619fdf7eaf/ exploit vdb-entry technical-description

cve.org (CVE-2025-11072)

nvd.nist.gov (CVE-2025-11072)

Download JSON