A high-severity vulnerability has been identified in the WP-DownloadManager plugin for WordPress, which could allow an attacker to take complete control of an affected website. This flaw enables unauthorized individuals to upload malicious files, such as web shells, by bypassing file type checks. Successful exploitation could lead to website defacement, data theft, or the server being used for further malicious activities.

The WP-DownloadManager plugin for WordPress is vulnerable to an arbitrary file upload. The vulnerability exists because the file upload functionality associated with the download-add feature fails to properly validate the type of file being uploaded. An authenticated attacker (and potentially an unauthenticated one, depending on the plugin's configuration) can exploit this by crafting a request to upload a malicious script (e.g., a PHP web shell) disguised as a legitimate file. Once uploaded, the attacker can access this script via a direct URL to execute arbitrary code on the server with the permissions of the web server's user account.

This vulnerability is rated as High severity with a CVSS score of 7.2. A successful exploit could have a significant negative impact on the business. An attacker gaining control of the web server could lead to a full system compromise, resulting in the theft of sensitive data such as customer information, intellectual property, and internal credentials. Further risks include reputational damage from website defacement, financial loss from business disruption, and potential legal or regulatory penalties if customer data is breached. The compromised server could also be leveraged to attack other systems within the internal network or used as part of a botnet for external attacks.

Immediate Action:

• Immediately identify all WordPress instances running the vulnerable WP-DownloadManager plugin.
• Update the plugin to the latest patched version provided by the vendor to remediate the vulnerability.
• If the plugin is not critical for business operations, consider deactivating and uninstalling it to reduce the overall attack surface.

Proactive Monitoring:

• Monitor web server logs for suspicious POST requests to the plugin's file upload endpoints.
• Implement File Integrity Monitoring (FIM) to detect the creation of unauthorized files (especially with extensions like .php, .phtml, .php5) in web-accessible directories.
• Monitor for unusual outbound network traffic originating from the web server, which could indicate a successful compromise and communication with a command-and-control server.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules designed to block the upload of executable file types.
• Modify web server configurations to disallow the execution of scripts in the directories where the plugin stores uploads.
• Restrict access to the WordPress administrative dashboard to trusted IP addresses only.

Public Exploit Available: False

Given the high CVSS score of 7.2 and the critical impact of a successful exploit (remote code execution), this vulnerability presents a significant risk to the organization. Although CVE-2025-10747 is not currently listed on the CISA KEV catalog, its nature makes it a prime target for widespread exploitation. We strongly recommend that all teams responsible for WordPress websites prioritize the immediate identification and patching of the vulnerable WP-DownloadManager plugin across all environments. If the plugin is not essential, it should be removed as a precautionary measure.