CVE-2025-10754 in DocoDoco Store Locator Plugin
Summary
by MITRE • 10/15/2025
The DocoDoco Store Locator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/17/2025
The vulnerability identified as CVE-2025-10754 affects the DocoDoco Store Locator plugin for WordPress, representing a critical security flaw that undermines the integrity of WordPress installations. This issue stems from inadequate input validation within the plugin's zip upload functionality, creating a pathway for malicious actors to exploit the system. The vulnerability specifically targets versions up to and including 1.0.1, indicating that the plugin developers failed to implement proper file type verification mechanisms during the upload process. The flaw exists within the plugin's core architecture, where the system does not adequately validate the contents of uploaded zip files, allowing attackers to bypass normal security restrictions.
The technical implementation of this vulnerability enables authenticated attackers who possess Editor-level permissions or higher to execute arbitrary file uploads on affected WordPress servers. This privilege escalation scenario is particularly concerning because it does not require administrative credentials, only a user account with sufficient privileges to modify plugin settings or upload files. The missing file type validation means that attackers can upload malicious files such as php scripts, shell scripts, or other executable content without detection. This vulnerability directly maps to CWE-434, which describes the weakness of allowing untrusted data to be uploaded to a web server without proper validation, and aligns with ATT&CK technique T1190, which covers exploiting vulnerabilities in web applications to achieve code execution.
The operational impact of this vulnerability extends beyond simple unauthorized file placement, as it creates a persistent threat vector for remote code execution. Once an attacker successfully uploads malicious files, they can potentially establish backdoors, execute commands on the server, steal sensitive data, or use the compromised system as a launch point for further attacks. The vulnerability affects WordPress installations that rely on the DocoDoco Store Locator plugin, making it a widespread concern for businesses and organizations using this specific plugin. The attack surface is particularly dangerous because it can be exploited through legitimate plugin functionality, making detection more challenging for security monitoring systems. The vulnerability also demonstrates poor security practices in plugin development, where basic input validation is omitted despite the obvious risks associated with file upload functionalities.
Mitigation strategies for CVE-2025-10754 should prioritize immediate plugin updates to versions that address the file validation issue, as this represents the most effective solution. Organizations should also implement additional security measures such as restricting file upload capabilities to only trusted users, implementing strict file type filtering, and conducting regular security audits of installed plugins. Network-based detection measures can help identify suspicious upload activities, while monitoring for unusual file patterns or unauthorized modifications to the plugin directory can provide early warning of exploitation attempts. System administrators should also consider implementing web application firewalls that can block suspicious upload requests and maintain regular backups to ensure rapid recovery from potential compromise. The vulnerability highlights the importance of proper security testing during plugin development and the necessity of following secure coding practices as outlined in industry standards such as the OWASP Top Ten and NIST cybersecurity guidelines.