Vulnerabilities and security researches forzip-attachments zip-attachments

Jun 07, 2024

CVE, Research URL: CVE-2015-4694
Home page URL: Security reports for Zip Attachments
Application: Zip Attachments
Date: Jan 09, 2016
Research Description: Directory traversal vulnerability in download.php in the Zip Attachments plugin before 1.5.1 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the za_file parameter.
Affected versions: max 1.5.1.
Status: vulnerable

Nov 10, 2025

CVE, Research URL: CVE-2025-11692
Home page URL: Security reports for Zip Attachments
Application: Zip Attachments
Date: Oct 15, 2025
Research Description: The Zip Attachments plugin for WordPress is vulnerable to unauthorized loss of data due to a missing authorization and capability checks on the download.php file in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to delete arbitrary files from the current wp_upload_dir directory.
Affected versions: max 1.6.
Status: vulnerable

CVE, Research URL: CVE-2025-11701
Home page URL: Security reports for Zip Attachments
Application: Zip Attachments
Date: Oct 15, 2025
Research Description: The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to download attachments from private and password-protected posts.
Affected versions: max 1.6.
Status: vulnerable