CVE-2025-11072: 
WordPress vulnerability analysis and mitigation

The MelAbu WP Download Counter Button WordPress plugin through version 1.8.6.7 contains a path validation vulnerability (CVE-2025-11072) that was disclosed on October 15, 2025. This vulnerability affects the download functionality of the plugin and allows unauthenticated attackers to read and download arbitrary files from the affected WordPress installation (WPScan).

The vulnerability exists because the plugin does not properly validate the path of files to be downloaded. The issue occurs in the download.php file where the code calls parse_url(durl) and takes the path component without proper validation. An attacker can manipulate the 'durl', 'dtp', and 'dabp' parameters to construct a path that points to arbitrary files on the filesystem. The vulnerability has been assigned a CVSS score of 7.5 (High) (WPScan).

When successfully exploited, this vulnerability allows unauthenticated attackers to read and download arbitrary files from the affected WordPress installation's filesystem. The successful exploitation depends on the filesystem permissions of the PHP process (WPScan).

Currently, there is no known fix available for this vulnerability in the MelAbu WP Download Counter Button plugin. Website administrators running affected versions should consider removing or disabling the plugin until a patch is available (WPScan).