Security compromised | WordPress.org

nicubunu
(@nicubunu)

9 months, 3 weeks ago

Our hosting reported this plugin is vulnerable and asked us to disable/replace it immediately. Info about vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2025-49995

Any plans for an update to fix it?

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author dFactory
(@dfactory)

9 months, 2 weeks ago

We’ve been reported this.

Thing is it’s not a security issue but a plugin feature that can be easilly changed with one option that exists in the plugin. It’s about downloading an attachment by numeric id. We’ve explained them that that is a core plugin feature, but if you don’t like it this way and there is an option to switch from numeric to unique encrypted id (which can’t be identified).

They ignored these explanations – did not reply to our email and marked the plugin as having security issues.

Thread Starter nicubunu
(@nicubunu)

9 months, 2 weeks ago

This is on a couple of government websites, we aren’t allowed to run software with open CVEs. I will have to remove the plugin and maybe look for an alternative.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Security compromised’ is closed to new replies.

2 replies
3 participants
Last reply from: nicubunu
Last activity: 9 months, 2 weeks ago
Status: not resolved