Download Counter Button <= 1.8.6.7 – Unauthenticated Arbitrary File Download | CVE 2025-11072

Description

The plugin does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files.

Proof of Concept

curl -k "http://example.com/wp-content/plugins/download-counter-button/functions/count/download.php?durl=http://x/etc/passwd&dtp=text/plain&dabp=/"

Parameter Breakdown:

- durl=http://x/etc/passwd
  The code calls parse_url(durl) and takes the path component “/etc/passwd”. The hostname “x” is irrelevant; only the path is used to construct the local file path.
- dtp=text/plain
  A declared content type passed through to the response builder. It does not gate or validate access and can be any string.
- dabp=/
  Forces the parse branch that sets fullfilepath to “/” + parsed path, yielding an absolute filesystem path “/etc/passwd”. Thus the endpoint will stream that local file if readable.

Conditions:

- No authentication required (the endpoint runs outside WordPress auth layer).
- No nonce or capability checks are performed.
- Successful read depends on filesystem permissions of the PHP process.