CVE-2025-11072: 
WordPress vulnerability analysis and mitigation

The Download Counter Button WordPress plugin versions 1.8.6.7 and below contains an unauthenticated arbitrary file download vulnerability (CVE-2025-11072). The vulnerability was discovered by Khaled Alenazi (Nxploited) and publicly disclosed on October 15, 2025. The issue affects the plugin's file download functionality, which fails to properly validate file paths, potentially exposing sensitive files on the server (WPScan).

The vulnerability exists in the download.php file within the plugin's functions/count directory. The issue stems from improper validation of the 'durl' parameter, allowing attackers to manipulate file paths. The vulnerability has been assigned a CVSS score of 7.5 (High) and is classified as a Path Traversal vulnerability (CWE-22). The exploit requires no authentication and runs outside the WordPress authentication layer, with successful exploitation depending on the filesystem permissions of the PHP process (WPScan).

When exploited, this vulnerability allows unauthenticated attackers to read and download arbitrary files from the affected server's filesystem. This could lead to exposure of sensitive configuration files, system files, or other confidential information stored on the server (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators running the affected versions of the Download Counter Button plugin should consider disabling or removing the plugin until a security patch is released (WPScan).