CVE-2025-12041
📋 TL;DR
The ERI File Library WordPress plugin up to version 1.1.0 has an authorization bypass vulnerability that allows unauthenticated attackers to download files intended for specific user roles only. This affects all WordPress sites using vulnerable versions of this plugin. Attackers can access restricted files without any authentication.
💻 Affected Systems
- ERI File Library WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive files containing confidential data, credentials, or proprietary information are exfiltrated by attackers, leading to data breaches, compliance violations, and reputational damage.
Likely Case
Attackers download files intended for authenticated users, potentially accessing internal documents, media files, or other restricted content stored through the plugin.
If Mitigated
With proper access controls and monitoring, unauthorized access attempts are detected and blocked, limiting data exposure to minimal or no sensitive files.
🎯 Exploit Status
Exploitation requires sending crafted AJAX requests to the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.1.0
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3385895%40eri-file-library&new=3385895%40eri-file-library
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'ERI File Library' and click 'Update Now'. 4. Verify plugin version is updated beyond 1.1.0.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
WordPressAdd code to WordPress theme's functions.php to remove the vulnerable AJAX action handler
add_action('init', function() { remove_action('wp_ajax_erifl_file', 'erifl_file_callback'); remove_action('wp_ajax_nopriv_erifl_file', 'erifl_file_callback'); });
🧯 If You Can't Patch
- Disable or remove the ERI File Library plugin entirely
- Implement web application firewall rules to block requests to the vulnerable AJAX endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for ERI File Library version 1.1.0 or earlierCheck Version:
wp plugin list --name='ERI File Library' --field=versionVerify Fix Applied:
Verify plugin version is updated beyond 1.1.0 and test that unauthenticated requests to /wp-admin/admin-ajax.php?action=erifl_file return proper authorization errors📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to /wp-admin/admin-ajax.php with action=erifl_file from unauthenticated IPs
- Unusual file download patterns from the plugin's directory
Network Indicators:
- HTTP POST/GET requests to /wp-admin/admin-ajax.php with action=erifl_file parameter from external IPs without authentication cookies
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=erifl_file*" AND NOT user_agent="*WordPress*"