CVE-2025-11692
📋 TL;DR
The Zip Attachments plugin for WordPress has an authorization vulnerability that allows unauthenticated attackers to delete arbitrary files from the WordPress uploads directory. This affects all WordPress sites using Zip Attachments plugin version 1.6 and earlier. Attackers can exploit this without any authentication or special privileges.
💻 Affected Systems
- WordPress Zip Attachments plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete deletion of all files in wp-content/uploads directory, including critical media files, backups, and uploaded content, potentially causing permanent data loss and site functionality issues.
Likely Case
Selective deletion of important files like images, documents, or configuration files, leading to broken site functionality and content loss.
If Mitigated
Minimal impact if proper file permissions and access controls are in place, though some data loss may still occur.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable download.php endpoint. No authentication or special knowledge required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.6
Vendor Advisory: https://plugins.trac.wordpress.org/browser/zip-attachments/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Zip Attachments plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable plugin
allDeactivate the Zip Attachments plugin to prevent exploitation
Block access to download.php
allUse web server configuration to block access to the vulnerable file
# For Apache: add to .htaccess
<Files "download.php">
Order Allow,Deny
Deny from all
</Files>
# For Nginx: add to server block
location ~* /download\.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Deactivate the Zip Attachments plugin immediately
- Implement strict file permissions on wp-content/uploads directory (755 for directories, 644 for files)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Zip Attachments version. If version is 1.6 or lower, you are vulnerable.Check Version:
# From WordPress root directory
grep -r "Version:" wp-content/plugins/zip-attachments/zip-attachments.php | head -1Verify Fix Applied:
After updating, verify plugin version is higher than 1.6. Test by attempting to access /wp-content/plugins/zip-attachments/download.php - should return 403 or not execute.📡 Detection & Monitoring
Log Indicators:
- HTTP 200/403 responses to /download.php with DELETE or file manipulation parameters
- Multiple failed file access attempts in wp-content/uploads directory
- Unusual file deletion patterns in uploads folder
Network Indicators:
- HTTP requests to /wp-content/plugins/zip-attachments/download.php with file path parameters
- Unusual traffic patterns to plugin directory from unauthenticated sources
SIEM Query:
source="web_server_logs" AND (uri_path="/wp-content/plugins/zip-attachments/download.php" OR uri_path CONTAINS "download.php") AND (http_method!="GET" OR parameters CONTAINS "delete" OR parameters CONTAINS "remove")