CVE-2025-49995
BaseFortify
Publication date: 2025-06-20
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object References (IDOR) issue in the WordPress Download Attachments plugin up to version 1.3.1. It allows unauthenticated attackers to bypass authorization controls by exploiting incorrectly configured access control security levels, potentially granting them access to sensitive files, folders, or database interactions that should be restricted. [1]
How can this vulnerability impact me? :
The vulnerability can allow unauthorized users to access sensitive information or resources on your website, such as files or database content, without proper permissions. This can lead to data exposure and potential compromise of your website's security. Since the plugin is abandoned with no official fixes, the risk remains unless mitigated by virtual patching or replacing the plugin. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WordPress Download Attachments plugin version 1.3.1 or earlier is installed and active. Since the vulnerability allows unauthorized access to files via Insecure Direct Object References (IDOR), monitoring for unusual access patterns to attachment URLs or unauthorized file downloads may help. However, plugin-based malware scanners may be unreliable for detecting exploitation. No specific detection commands are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing and replacing the vulnerable Download Attachments plugin, as no official fix or update is available and the plugin is abandoned. Applying a virtual patch (vPatch) from Patchstack is recommended to provide automatic protection against this vulnerability. Deactivating the plugin alone does not eliminate the risk. Seeking professional incident response services is advised if compromise is suspected. [1]