CVE-2025-11174 – The Document Library Lite WordPress plugin has ... (How to Fix)

Q: What is the severity of CVE-2025-11174?

CVE-2025-11174 has a CVSS score of 5.3 (MEDIUM). The Document Library Lite WordPress plugin has an improper authorization vulnerability that allows unauthenticated attackers to retrieve unpublished document titles and content via an exposed AJAX endpoint. This affects all WordPress sites using the plugin up to version 1.1.6. Attackers can access draft, pending, and future documents without authentication.

📋 TL;DR

The Document Library Lite WordPress plugin has an improper authorization vulnerability that allows unauthenticated attackers to retrieve unpublished document titles and content via an exposed AJAX endpoint. This affects all WordPress sites using the plugin up to version 1.1.6. Attackers can access draft, pending, and future documents without authentication.

💻 Affected Systems

Products:

Document Library Lite WordPress Plugin

Versions: All versions up to and including 1.1.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version installed and activated.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive unpublished documents containing confidential information are exposed to unauthorized parties, potentially leading to data breaches, intellectual property theft, or regulatory violations.

🟠

Likely Case

Attackers harvest unpublished document metadata and content for reconnaissance, competitive intelligence gathering, or to find sensitive information.

🟢

If Mitigated

Limited exposure of non-critical draft documents with minimal sensitive content.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable remotely without authentication via public WordPress AJAX endpoints.

🏢 Internal Only: LOW - The vulnerability exists regardless of network segmentation, but internal-only systems have reduced attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP requests to WordPress AJAX endpoints with crafted parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.7 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3385033/document-library-lite/trunk/src/Table/Ajax_Handler.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Document Library Lite. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.1.7+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove or block access to the dll_load_posts AJAX action via .htaccess or plugin modification

# Add to .htaccess or site config:
RewriteCond %{QUERY_STRING} action=dll_load_posts
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]

Deactivate plugin

linux

Temporarily disable the Document Library Lite plugin until patched

wp plugin deactivate document-library-lite

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests containing 'action=dll_load_posts' parameter
Restrict access to /wp-admin/admin-ajax.php via IP whitelisting or authentication requirements

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Document Library Lite version. If version ≤1.1.6, vulnerable. Test by sending GET request to /wp-admin/admin-ajax.php?action=dll_load_posts with args[status]=any

Check Version:

wp plugin get document-library-lite --field=version

Verify Fix Applied:

Confirm plugin version is 1.1.7+. Test the same endpoint should return authorization error or no data for unauthenticated requests.

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /wp-admin/admin-ajax.php with action=dll_load_posts
Unusual parameter patterns like args[status]=any or args[status]=draft from unauthenticated IPs

Network Indicators:

HTTP GET requests to WordPress AJAX endpoints with dll_load_posts action from external IPs
Unusual spikes in requests to admin-ajax.php

SIEM Query:

source="web_logs" AND url_path="/wp-admin/admin-ajax.php" AND query_string="*action=dll_load_posts*" AND NOT user_agent="*bot*" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-11174

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-285

EPSS Score: 0.06% exploit probability (19.3th percentile)

Published: November 1, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11174, you might also want to check these: