{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39616", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:27.974Z", "datePublished": "2026-04-08T08:30:25.169Z", "dateUpdated": "2026-04-08T08:30:25.169Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "download-attachments", "product": "Download Attachments", "vendor": "dFactory", "versions": [{"lessThanOrEqual": "1.4.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub Herman | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:37.746Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Download Attachments: from n/a through <= 1.4.0.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:25.169Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress Download Attachments plugin <= 1.4.0 - Insecure Direct Object References (IDOR) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0."}], "id": "CVE-2026-39616", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:31.460", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Download Attachments", "source": "cna", "vendor": "dFactory"}, "product": "download_attachments", "vendor": "dfactory"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:41:20.825250+00:00", "value": {"mitigation_remediation": ["Upgrade the dFactory Download Attachments plugin to the latest version (currently 1.4.1 or newer).", "If an update is not immediately possible, restrict direct object access by disabling or hard\u2011coding the direct attachment URLs, ensuring that only authenticated users can refer to them.", "Apply the principle of least privilege to the WordPress installation, ensuring that the minimum necessary roles can access the plugin\u2019s functionalities."], "summary": {"action": "Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the dFactory Download Attachments plugin, versions up to and including 1.4.0. The problem exists in all installable releases where the plugin is present, as the code path is not guarded by proper role checks. Users should identify whether they run any version in the affected range and note that any installation of the plugin before 1.4.1 is vulnerable.", "description_and_impact": "An IDOR flaw exists in the dFactory Download Attachments plugin for WordPress that permits an attacker to manipulate a user\u2011controlled key, bypassing the intended access control and retrieving any attachment the website owner has stored. The vulnerability stems from improperly enforced security levels, allowing read access to resources that should be restricted to authorized users only. This creates a severe threat to confidentiality, because an unauthenticated or low\u2011privileged user can obtain private files, and it compromises integrity if the attacker can replace or tamper with attachments. The primary impact is an authorization bypass with potentially widespread access across the site.", "risk_and_exploitability": "The CVSS score is not supplied, but the defect allows direct access to user data via a direct object reference, indicating high severity. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. However, attackers can exploit this weakness using crafted URLs or parameters, which typically requires only knowledge of the site structure and is feasible over an exposed network. The absence of advanced authentication checks means that the attack does not need elevated privileges, making the risk significant for any site with public or limited user access."}}}}, "created": "2026-04-08T19:29:43.854141+00:00", "updated": "2026-04-08T19:42:00.609188+00:00", "vendors": ["dfactory", "dfactory$PRODUCT$download_attachments", "wordpress", "wordpress$PRODUCT$wordpress"]}