WordPress Plugin Vulnerabilities

Download Attachments <= 1.4.0 - Unauthenticated Insecure Direct Object Reference

Description

The Download Attachments plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.0 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform unauthorized actions.

Affects Plugins

Plugin icon
download-attachments
No known fix

References

CVE
CVE-2026-39616
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3d492fcd-5138-44e8-816b-295ec219fd0d

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Jakub Herman
Verified
No
WPVDB ID
bd0b2c5e-d717-4b35-b864-4cbf6f8dc9e3

Timeline

Publicly Published
2026-02-10 (about 3 months ago)
Added
2026-05-05 (about 8 days ago)
Last Updated
2026-05-05 (about 8 days ago)

Other

Published
Title
Published
2025-01-10
Title
RRAddons for Elementor <= 1.1.0 - Authenticated (Contributor+) Post Disclosure
Published
2021-03-31
Title
Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR
Published
2024-12-05
Title
XLTab – Accordions and Tabs for Elementor Page Builder < 1.5 - Authenticated (Contributor+) Post Disclosure
Published
2026-02-24
Title
WP Recipe Maker < 10.3.0 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Published
2020-10-15
Title
Realia <= 1.4 - Unauthenticated IDOR leading to Arbitrary Post Deletion