CVE-2025-11072
📋 TL;DR
The MelAbu WP Download Counter Button WordPress plugin through version 1.8.6.7 contains a path traversal vulnerability that allows unauthenticated attackers to read or download arbitrary files from the server. This affects all WordPress sites running the vulnerable plugin version. Attackers can exploit this without any authentication or special privileges.
💻 Affected Systems
- MelAbu WP Download Counter Button WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could download sensitive files like wp-config.php containing database credentials, server configuration files, or other sensitive data, potentially leading to full site compromise.
Likely Case
Attackers will download WordPress configuration files to obtain database credentials and other sensitive information, then use those to gain administrative access or further compromise the site.
If Mitigated
With proper file permissions and web server restrictions, attackers may only be able to access publicly readable files, limiting the impact.
🎯 Exploit Status
The vulnerability is simple to exploit via crafted HTTP requests. Public proof-of-concept code is available in the WPScan reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.6.8 or later
Vendor Advisory: https://wpscan.com/vulnerability/538117c5-b04c-45fc-a953-6f619fdf7eaf/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'MelAbu WP Download Counter Button'. 4. Click 'Update Now' if update is available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate melabu-wp-download-counter-button
Restrict file access via .htaccess
linuxAdd rules to block direct access to sensitive files
<FilesMatch "^(wp-config\.php|.*\.sql|.*\.env)$">
Order allow,deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove the plugin entirely if not essential for site functionality
- Implement web application firewall rules to block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for MelAbu WP Download Counter Button version 1.8.6.7 or earlierCheck Version:
wp plugin list --name='melabu-wp-download-counter-button' --field=versionVerify Fix Applied:
Verify plugin version is 1.8.6.8 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' or similar path traversal patterns to plugin endpoints
- Unusual file access patterns from single IP addresses
- Requests to /wp-content/plugins/melabu-wp-download-counter-button/ with file parameters
Network Indicators:
- HTTP GET requests with file= parameter containing path traversal sequences
- Traffic to plugin download endpoints from unauthenticated users
SIEM Query:
source="web_logs" AND (uri_path="*melabu-wp-download-counter-button*" AND (query="*file=*../*" OR query="*file=*..\\*"))