{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39616", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:27.974Z", "datePublished": "2026-04-08T08:30:25.169Z", "dateUpdated": "2026-04-14T14:05:43.461Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "download-attachments", "product": "Download Attachments", "vendor": "dFactory", "versions": [{"lessThanOrEqual": "1.4.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub Herman | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:37.746Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Download Attachments: from n/a through <= 1.4.0.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:25.169Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress Download Attachments plugin <= 1.4.0 - Insecure Direct Object References (IDOR) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:04:33.745143Z", "id": "CVE-2026-39616", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:05:43.461Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39616", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:04:33.745143Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:03:39.500Z"}}], "cna": {"title": "WordPress Download Attachments plugin <= 1.4.0 - Insecure Direct Object References (IDOR) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jakub Herman | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "dFactory", "product": "Download Attachments", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.0"}], "packageName": "download-attachments", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:37.746Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0.", "supportingMedia": [{"type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Download Attachments: from n/a through <= 1.4.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:25.169Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39616", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:05:43.461Z", "dateReserved": "2026-04-07T10:57:27.974Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:25.169Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0."}], "id": "CVE-2026-39616", "lastModified": "2026-04-14T15:16:35.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:31.460", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Download Attachments", "source": "cna", "vendor": "dFactory"}, "product": "download_attachments", "vendor": "dfactory"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T16:06:40.906340+00:00", "value": {"mitigation_remediation": ["Update dFactory Download Attachments plugin to a version newer than 1.4.0.", "Verify that the plugin\u2019s access control settings are correctly configured, ensuring that only authorized users can reference attachment keys.", "Monitor access logs for unusual download activity before and after the patch."], "summary": {"action": "Patch", "impact": "Unauthorized Access to Protected Content"}, "threat_synthesis": {"affected_systems": "This issue affects the WordPress plugin dFactory Download Attachments in every release up to and including version\u00a01.4.0. Site administrators whose sites run this plugin should verify whether they host sensitive attachments that could be accessed through the download interface.", "description_and_impact": "An authorization bypass in the dFactory Download Attachments plugin occurs when a user can construct a request that references files they are not permitted to download. This flaw allows confidential attachments to be exposed, effectively compromising the confidentiality of protected content. The weakness is a classic Insecure Direct Object Reference, classified as CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly confirmed exploits are currently known. The likely attack vector is inferred from the description as the manipulation of the download key or URL parameter that the plugin uses to locate files. If an attacker discovers a valid key, they can download any attachment that the plugin believes they own, requiring only basic knowledge of the plugin\u2019s filename mapping. This could lead to unsolicited disclosure of private data from the affected WordPress site."}}}}, "created": "2026-04-08T19:29:43.854141+00:00", "updated": "2026-04-14T16:39:02.244555+00:00", "vendors": ["dfactory", "dfactory$PRODUCT$download_attachments", "wordpress", "wordpress$PRODUCT$wordpress"]}