CVE Alert: CVE-2025-10754 – geolocationtechnology – DocoDoco Store Locator
CVE-2025-10754
The DocoDoco Store Locator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.
AI Summary Analysis
**Risk verdict** High risk of remote code execution if exploited, but there are currently no active exploitation signals observed.
**Why this matters** Authenticated attackers with Editor+ access can upload arbitrary files via the ZIP upload feature, potentially enabling code execution on the server. This creates a credible path to full site compromise, data exposure, or defacement, especially on sites with sensitive data or weakly managed admin accounts.
**Most likely attack path** An Editor+ user uploads a crafted ZIP through the plugin’s upload flow. Due to missing file-type validation, a malicious payload could be written to a web-accessible location. If the payload is executed by the server, the attacker gains control within the site’s context. The vulnerability has network access implications but requires high-privilege authentication, limiting exploitation to compromised or insider accounts.
**Who is most exposed** WordPress sites using the DocoDoco Store Locator plugin (≤1.0.1), with editable admin roles and public admin interfaces. Small to mid-size deployments with shared hosting are particularly at risk where editors can access the upload feature.
Detection ideas
- Alerts for ZIP uploads containing PHP/JS files in plugin/upload directories.
- New or renamed PHP files appearing under wp-content or plugin paths.
- Anomalous uploads activity from Editor+ accounts, especially around ZIP.php usage.
- Web server logs showing attempts to execute uploaded payloads.
- WAF/IDS triggers on dangerous file types in uploads.
Mitigation and prioritisation
- Apply patch beyond 1.0.1 or remove/disable the vulnerable plugin if no fix is available.
- Enforce least-privilege, restrict Editor+ access, or disable ZIP upload via the plugin.
- Implement server-side file-type validation and restrict execution in upload folders.
- Harden uploads with WAF rules, content scanning, and strict MIME checks.
- Schedule testing and deployment in a staging environment with verified backups.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
