CVE-2025-11174

MEDIUM 5.3

Document Library Lite <= 1.1.6 - Missing Authorization to Sensitive Information Exposure

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The Document Library Lite plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 1.1.6. This is due to the plugin exposing an unauthenticated AJAX action dll_load_posts which returns a JSON table of document data without performing nonce or capability checks. The handler accepts an attacker-controlled args array where the status option explicitly allows draft, pending, future, and any. This makes it possible for unauthenticated attackers to retrieve unpublished document titles and content via the AJAX endpoint.

CWE	CWE-285
Vendor	barn2media
Product	document library lite
Published	Nov 1, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for barn2media document library lite

Be the first to know when new medium vulnerabilities affecting barn2media document library lite are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

barn2media / Document Library Lite

0 ≤ 1.1.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Avraham Shemesh Kai Aizen