CVE-2025-12041 MEDIUM

CVE-2025-12041: ERI File Library <= 1.1.0 - Missing Authorization to Unauthenticated Protected File Download

Vendor Apos37
Product ERI File Library
Weakness CWE-862 · Missing authorization
Published October 31, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to download files restricted to specific user roles.

Explanation of Vulnerability in Simple Terms

02Summary

ERI File Library versions 1.1.0 and earlier lack proper authorization checks, allowing unauthenticated attackers to read sensitive file information over the network. The vulnerability requires no user interaction and affects the confidentiality of stored files. Site administrators should update to a version newer than 1.1.0 when available.

What an attacker can do

03Attacker Capabilities

Read sensitive file metadata and contents without authentication.

Potential impact on your site

04Site Impact

Unauthorized users can access file library contents, potentially exposing sensitive documents or data.

Conditions required to exploit

05Prerequisites

Network access to the affected ERI File Library instance; no authentication required.

Key dates

06Disclosure timeline

October 31, 2025 CVE published
April 8, 2026 Record updated