CVE-2025-10747 in WP-DownloadManager Plugin
Summary
by MITRE • 09/26/2025
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/26/2025
The WP-DownloadManager plugin represents a widely used WordPress solution for managing file downloads and access control within web applications. This particular vulnerability exists within the download-add.php component of the plugin's codebase, where insufficient input validation mechanisms fail to properly verify file types during the upload process. The flaw specifically affects all versions up to and including 1.68.11, creating a persistent security weakness that has remained unaddressed across multiple releases. The vulnerability stems from the absence of proper file extension and content validation checks that should occur before allowing file uploads to proceed, leaving the system exposed to malicious file injection attempts.
The technical exploitation of this vulnerability requires an authenticated attacker possessing administrator-level privileges or higher within the WordPress environment. This prerequisite significantly reduces the attack surface but does not eliminate the severity of the issue since administrative access often provides extensive control over website functionality. When combined with the missing file type validation, this vulnerability creates a pathway for attackers to upload malicious files such as php scripts, shell files, or other executable content directly onto the web server. The absence of proper file validation means that attackers can bypass standard security measures designed to prevent uploading of dangerous file types, potentially leading to complete system compromise.
The operational impact of this vulnerability extends far beyond simple file upload capabilities, as it enables potential remote code execution on the affected server. Once an attacker successfully uploads malicious code, they can execute arbitrary commands on the web server, potentially leading to data exfiltration, service disruption, or complete system takeover. The implications for organizations using WordPress with this plugin are severe, as the vulnerability allows for persistent backdoor access and can be leveraged to establish long-term control over the compromised website infrastructure. This risk is particularly concerning in environments where the plugin is widely deployed across multiple sites or where the administrative accounts are not properly secured.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security posture improvements. The most effective immediate solution involves upgrading to the latest available version of the WP-DownloadManager plugin where the file validation has been properly implemented. Organizations should also implement additional security measures including restricting file upload capabilities to only essential file types, implementing proper file content verification mechanisms, and establishing robust access control policies. The vulnerability aligns with CWE-434 which specifically addresses insecure file upload vulnerabilities, and represents a clear violation of the principle of least privilege as outlined in the ATT&CK framework's initial access and execution phases. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other plugins and themes, while maintaining up-to-date security monitoring to detect any unauthorized file upload activities that may indicate exploitation attempts.