CVE-2025-14633
📋 TL;DR
The F70 Lead Document Download WordPress plugin allows unauthenticated attackers to download any file from the WordPress media library by guessing attachment IDs. This affects all WordPress sites using plugin versions up to 1.4.4. The vulnerability stems from missing authorization checks in the file download function.
💻 Affected Systems
- F70 Lead Document Download WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive files containing credentials, personal data, or confidential documents are exfiltrated, leading to data breaches, regulatory violations, and reputational damage.
Likely Case
Attackers download publicly accessible media files or discover and exfiltrate sensitive files that shouldn't be publicly available.
If Mitigated
Only non-sensitive files are accessible, with minimal impact on site functionality.
🎯 Exploit Status
Exploitation requires guessing or enumerating WordPress attachment IDs, which can be automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.5 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/f70-lead-document-download
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'F70 Lead Document Download' and check if update is available. 4. Click 'Update Now' to install version 1.4.5 or later. 5. Verify plugin is updated.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate f70-lead-document-download
Restrict Access via .htaccess
linuxBlock direct access to plugin files via web server configuration.
<Files "class.download.php">
Order Allow,Deny
Deny from all
</Files>
🧯 If You Can't Patch
- Remove the plugin entirely if patching isn't possible.
- Implement web application firewall (WAF) rules to block requests to the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'F70 Lead Document Download' version 1.4.4 or earlier.Check Version:
wp plugin get f70-lead-document-download --field=versionVerify Fix Applied:
Confirm plugin version is 1.4.5 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual spikes in requests to /wp-content/plugins/f70-lead-document-download/includes/class.download.php
- Requests with 'file_download' parameter from unauthenticated IPs
Network Indicators:
- HTTP GET requests to plugin file with attachment ID parameters from external sources
SIEM Query:
source="web_logs" AND uri="/wp-content/plugins/f70-lead-document-download/includes/class.download.php" AND NOT user_agent="WordPress/*"🔗 References
- https://plugins.trac.wordpress.org/browser/f70-lead-document-download/tags/1.4.4/includes/class.download.php#L61
- https://plugins.trac.wordpress.org/browser/f70-lead-document-download/trunk/includes/class.download.php#L61
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bba22270-de9b-4651-8180-c077ef113112?source=cve
