Vulnerability Description
The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to download attachments from private and password-protected posts.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- http://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/zip-attachmen
- http://plugins.trac.wordpress.org/browser/zip-attachments/tags/1.6/zip-attachmen
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e166d52d-73d1-4572-b9c
FAQ
What is CVE-2025-11701?
CVE-2025-11701 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function...
How severe is CVE-2025-11701?
CVE-2025-11701 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-11701?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.