CVE Alert: CVE-2025-10747 – gamerz – WP-DownloadManager
CVE-2025-10747
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.
AI Summary Analysis
Risk verdict
High risk: authenticated administrators can upload arbitrary files via WP-DownloadManager <= 1.68.11, potentially enabling remote code execution; treat as priority 1 if KEV is present or SSVC indicates exploitation.
Why this matters
For sites using the affected plugin, a compromised admin account or abuse of admin access can lead to persistent web shells, full site compromise, data exposure, and defacement. The impact is amplified in environments hosting multiple sites or sensitive WordPress data, where one vulnerable plugin can serve as a foothold for broader attacker activity.
Most likely attack path
An authenticated admin visits the vulnerable upload point and supplies a crafted file without proper type validation. The attacker can store a PHP payload on the server and access it to achieve code execution, given the lack of UI interaction and high privileges required. Movement is mainly within the hosting environment, with potential persistence and broader compromise if server permissions allow.
Who is most exposed
WordPress sites actively using WP-DownloadManager (especially on shared/managed hosting) and where admin credentials are compromised or weakly protected.
Detection ideas
- Look for new PHP files appearing under plugin/upload directories after admin activity.
- Unusual POST attempts to download-add.php with file payloads.
- Large or unexpected file uploads by admins outside normal workflow.
- Web shell indicators or base64/obfuscated payloads in newly uploaded files.
- Anomalous admin actions: rapid file uploads, or admin login from unusual locations.
Mitigation and prioritisation
- Patch: upgrade to the latest WP-DownloadManager version or remove the plugin if remediation is unavailable.
- Access control: enforce strong admin authentication, 2FA, and rotate credentials; limit admin scope.
- Upload controls: restrict allowed file types, disable untrusted uploads, and block PHP uploads in the uploads directory.
- Defence-in-depth: enable a WAF/mod_security profile to flag PHP uploads and suspicious file types; enable file integrity monitoring.
- Change management: test patch in staging before production; schedule an immediate patch window if feasible.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
