CVE-2025-10747
📋 TL;DR
The WP-DownloadManager WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation. This vulnerability could lead to remote code execution on affected WordPress sites. Only sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WP-DownloadManager WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to steal data, install malware, or pivot to other systems.
Likely Case
Attackers with administrator credentials upload webshells to gain persistent access and execute arbitrary commands on the server.
If Mitigated
If proper file upload restrictions and administrator account security are in place, impact is limited to unauthorized file storage.
🎯 Exploit Status
Exploitation requires administrator credentials but is technically simple once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.68.11
Vendor Advisory: https://wordpress.org/plugins/wp-downloadmanager/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP-DownloadManager and click 'Update Now'. 4. Verify plugin version is 1.68.12 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wp-downloadmanager
Restrict File Uploads
linuxAdd server-side file type validation via .htaccess or web server configuration
# Add to .htaccess:
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|phar|inc|pl|py|jsp|asp|sh|cgi|exe)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove administrator access from all non-essential users and enforce strong password policies
- Implement web application firewall rules to block suspicious file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP-DownloadManager version ≤1.68.11Check Version:
wp plugin get wp-downloadmanager --field=versionVerify Fix Applied:
Verify plugin version is 1.68.12 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/plugins/wp-downloadmanager/
- POST requests to download-add.php with executable file extensions
Network Indicators:
- HTTP POST requests containing PHP/executable files to plugin endpoints
SIEM Query:
source="web_server" AND (uri_path="*download-add.php*" AND method="POST" AND (file_extension="php" OR file_extension="exe" OR file_extension="sh"))🔗 References
- https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-add.php#L35
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3364847%40wp-downloadmanager&new=3364847%40wp-downloadmanager&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/wp-downloadmanager/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2c535cea-dad6-440f-b37f-6d196b469214?source=cve
