CVE-2025-11174: 
WordPress vulnerability analysis and mitigation

The Document Library Lite plugin for WordPress contains an Improper Authorization vulnerability (CVE-2025-11174) affecting all versions up to and including 1.1.6. The vulnerability was discovered and disclosed on October 31, 2025, and primarily affects WordPress installations using this plugin (NVD).

The vulnerability stems from the plugin exposing an unauthenticated AJAX action 'dll_load_posts' that returns a JSON table of document data without performing proper nonce or capability checks. The handler accepts an attacker-controlled args array where the status option explicitly allows draft, pending, future, and any states. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges (NVD).

The vulnerability allows unauthenticated attackers to retrieve unpublished document titles and content via the AJAX endpoint. This could lead to the exposure of sensitive or confidential information that was intentionally kept in draft or pending status (NVD).

Users should update the Document Library Lite plugin to versions newer than 1.1.6 once available. Until then, website administrators should consider disabling the plugin if it's not critical to operations (NVD).