CVE-2025-11692: 
WordPress vulnerability analysis and mitigation

The Zip Attachments plugin for WordPress (versions up to and including 1.6) contains a vulnerability identified as CVE-2025-11692. The vulnerability was discovered and disclosed on October 14, 2025, and is characterized by missing authorization and capability checks in the download.php file. This security flaw affects the WordPress plugin's file handling functionality (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The technical weakness is categorized as CWE-862 (Missing Authorization), indicating a fundamental security control issue in the plugin's implementation. The vulnerability specifically exists in the download.php file, where proper authorization checks are absent (Wordfence).

The vulnerability allows unauthenticated attackers to delete arbitrary files from the current wpuploaddir directory, potentially leading to unauthorized loss of data. The impact is primarily focused on file integrity and availability within the WordPress uploads directory (NVD).

Users of the Zip Attachments plugin should upgrade to a version newer than 1.6 once available. Until a patch is released, website administrators should consider disabling the plugin or implementing additional security controls to restrict access to the download.php file (NVD).