CVE-2025-11174

Name of the Vulnerable Software and Affected Versions Document Library Lite versions prior to 1.1.7

Description The Document Library Lite plugin for WordPress has an issue with authorization. An unauthenticated AJAX action, dll load posts, exposes a JSON table of document data without proper checks. The args array accepted by this handler allows attackers to retrieve unpublished document titles and content, including those with draft, pending, or future status. The vulnerable API endpoint is /wp-admin/admin-ajax.php. The status parameter within the args array is attacker-controlled.

Recommendations Update Document Library Lite to version 1.1.7 or later.