CVE-2025-10050 is a path traversal vulnerability classified under CWE-22 affecting the Developer Loggers for Simple History plugin for WordPress, developed by eskapism. This vulnerability exists in all versions up to and including 0.5 of the plugin. It arises due to improper limitation of a pathname to a restricted directory via the 'enabled_loggers' parameter. An authenticated attacker with Administrator-level privileges or higher can exploit this flaw to perform Local File Inclusion (LFI). By manipulating the 'enabled_loggers' parameter, the attacker can include arbitrary .php files from the server filesystem and execute them. This effectively allows execution of arbitrary PHP code, which can lead to bypassing access controls, unauthorized disclosure of sensitive information, or full remote code execution if the attacker can upload malicious PHP files to the server. The vulnerability requires high privileges (Administrator or above) and does not require user interaction. The CVSS v3.1 base score is 6.6 (medium severity), reflecting network attack vector, high complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is significant because WordPress is widely used, and plugins like Developer Loggers for Simple History are often installed to monitor site activity, making this an attractive target for attackers who have gained admin access to escalate their control over the system.

For European organizations using WordPress with the Developer Loggers for Simple History plugin, this vulnerability poses a serious risk. If an attacker gains Administrator access—through phishing, credential compromise, or other means—they can leverage this flaw to execute arbitrary PHP code on the web server. This can lead to full site compromise, data theft including personal data protected under GDPR, defacement, or use of the server as a pivot point for further attacks within the organization's network. The impact on confidentiality is high due to potential data exposure; integrity is compromised by arbitrary code execution; and availability can be affected if attackers disrupt services or deploy ransomware. Given the strict data protection regulations in Europe, such breaches can result in significant legal and financial penalties. Organizations relying on WordPress for public-facing websites or internal portals must consider this vulnerability a critical escalation vector once admin access is obtained.

Immediate mitigation steps include: 1) Restricting Administrator access strictly to trusted personnel and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2) Monitoring and auditing admin activities to detect suspicious behavior early. 3) Temporarily disabling or uninstalling the Developer Loggers for Simple History plugin until a security patch is released. 4) Applying strict file upload restrictions and scanning uploaded files to prevent attackers from uploading malicious PHP scripts that could be included. 5) Employing Web Application Firewalls (WAFs) with custom rules to detect and block attempts to manipulate the 'enabled_loggers' parameter with path traversal payloads. 6) Keeping WordPress core and all plugins updated and subscribing to vendor security advisories for timely patch application once available. 7) Conducting regular security assessments and penetration tests focusing on privilege escalation paths within WordPress environments.