CVE-2025-12583
📋 TL;DR
The Simple Downloads List WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Subscriber-level access or higher to modify plugin settings and downloads, and inject malicious scripts. This affects all WordPress sites using plugin versions 1.4.3 and earlier. Attackers can compromise site integrity and potentially affect visitors.
💻 Affected Systems
- Simple Downloads List WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers inject persistent malicious scripts that compromise all site visitors, leading to credential theft, malware distribution, or complete site takeover.
Likely Case
Attackers modify download links to distribute malware or redirect users to malicious sites, or alter plugin settings to disrupt functionality.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary service disruption or minor configuration changes.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - attackers can send crafted AJAX requests to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://plugins.trac.wordpress.org/browser/simple-downloads-list/tags/1.5.0/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Simple Downloads List' and click 'Update Now'. 4. Verify version shows 1.5.0 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allBlock access to the vulnerable wp_ajax_neofix_sdl_edit endpoint and similar AJAX handlers
Add to .htaccess: RewriteCond %{QUERY_STRING} action=neofix_sdl_edit [NC] RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
Restrict user capabilities
allRemove Subscriber role's ability to access admin-ajax.php or implement capability checks
Add to theme functions.php: add_filter('user_has_cap', 'restrict_sdl_access', 10, 4); function restrict_sdl_access($allcaps, $caps, $args, $user) { if (in_array('subscriber', $user->roles)) { unset($allcaps['read']); } return $allcaps; }
🧯 If You Can't Patch
- Disable the Simple Downloads List plugin immediately
- Implement web application firewall rules to block requests to vulnerable AJAX endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Simple Downloads List → Version. If version is 1.4.3 or lower, you are vulnerable.Check Version:
wp plugin list --name='simple-downloads-list' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.5.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=neofix_sdl_edit from non-admin users
- Multiple failed AJAX requests from same user attempting different actions
Network Indicators:
- Unusual spikes in admin-ajax.php requests from authenticated users
- POST requests to AJAX endpoints with unexpected parameters
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND ("action=neofix_sdl_edit" OR "action=neofix_sdl_") AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/browser/simple-downloads-list/tags/1.5.0/admin/adminpanel_v3.php?rev=3388438
- https://plugins.trac.wordpress.org/changeset?old_path=/simple-downloads-list/tags/1.4.3&new_path=/simple-downloads-list/tags/1.5.0&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cbee3d3b-383b-48f5-be63-61cd692a18a0?source=cve
