CVE-2025-14633 in F70 Lead Document Download Plugin
Summary
by MITRE • 12/20/2025
The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/21/2025
The F70 Lead Document Download plugin for WordPress presents a critical authorization flaw that undermines the security of WordPress installations. This vulnerability resides in the plugin's 'file_download' function which fails to implement proper capability checks, creating an unauthorized access vector that affects all versions up to and including 1.4.4. The flaw represents a direct violation of the principle of least privilege, where the plugin should verify user permissions before granting file access but instead allows unrestricted downloads regardless of authentication status. The vulnerability stems from the plugin's inability to distinguish between authenticated users with appropriate permissions and unauthenticated attackers attempting to exploit the system.
The technical implementation of this flaw allows attackers to exploit the plugin's lack of access control by directly calling the file_download endpoint with specific attachment IDs. This enumeration-based attack vector enables unauthenticated threat actors to systematically discover valid WordPress attachment IDs through various means including brute force techniques, pattern recognition, or by leveraging previously discovered attachment identifiers from public sources. The vulnerability operates at the application layer and specifically targets the WordPress media library, which often contains sensitive documents, images, and files that may include proprietary information, personal data, or confidential business materials. The absence of proper capability validation means that any attacker who can guess or obtain valid attachment IDs can download files that should normally be restricted to authorized users only.
The operational impact of this vulnerability extends beyond simple unauthorized file access, creating potential data exfiltration scenarios that could compromise sensitive information within WordPress environments. Attackers can leverage this vulnerability to systematically harvest media library contents, potentially including customer data, internal documents, configuration files, or other sensitive materials that may contain intellectual property or personally identifiable information. The vulnerability's severity increases when considering that WordPress media libraries often contain files that are not properly secured, and the lack of authentication enforcement creates a persistent threat vector that remains active until the plugin is updated or the vulnerability is patched. This flaw particularly affects WordPress sites that rely heavily on media libraries for content management, customer portals, or document sharing systems where unauthorized access could result in significant financial, regulatory, or reputational damage.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security hardening measures. The primary solution involves updating to the latest version of the F70 Lead Document Download plugin where the capability check has been implemented to verify user permissions before allowing file downloads. Organizations should also implement additional protective measures including restricting access to the plugin's endpoints through firewall rules, implementing rate limiting to prevent enumeration attacks, and conducting regular security audits of installed plugins to identify similar authorization flaws. Network-based protections such as web application firewalls can help detect and block malicious requests attempting to exploit this vulnerability, while monitoring systems should be configured to alert on unusual file download patterns from WordPress media libraries. The vulnerability aligns with CWE-284 which addresses improper access control, and represents a specific implementation of the broader ATT&CK technique T1213.002 for accessing data through web application interfaces. Security teams should also consider implementing principle-based access controls and regularly reviewing user permissions to minimize the potential impact of such authorization bypass vulnerabilities in their WordPress environments.