CVE-2025-10147 is a critical security vulnerability affecting the Podlove Podcast Publisher plugin for WordPress, developed by eteubert. The vulnerability arises from improper validation of uploaded file types in the 'move_as_original_file' function present in all versions up to and including 4.2.6. Specifically, the plugin fails to restrict or validate the type of files that can be uploaded, allowing unauthenticated attackers to upload arbitrary files to the web server hosting the WordPress site. This lack of validation corresponds to CWE-434: Unrestricted Upload of File with Dangerous Type. Because the attacker does not require any authentication or user interaction, and the vulnerability is remotely exploitable over the network, it poses a severe risk. The uploaded files could include malicious scripts or web shells, potentially enabling remote code execution (RCE) on the affected server. The CVSS v3.1 base score is 9.8 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation. No patches or fixes are currently linked, and no known exploits have been reported in the wild yet, but the severity and simplicity of exploitation make this a high-priority threat for any WordPress site using this plugin. Given the widespread use of WordPress and the popularity of podcasting plugins, this vulnerability could be leveraged to compromise websites, steal data, or launch further attacks within compromised networks.

For European organizations, this vulnerability poses a significant threat, especially to media companies, content creators, and enterprises relying on WordPress for their web presence and podcast distribution. Successful exploitation could lead to full server compromise, data breaches involving personal or sensitive information protected under GDPR, and disruption of services. The ability to execute arbitrary code remotely could also allow attackers to pivot within corporate networks, potentially impacting internal systems and causing reputational damage. Additionally, compromised websites could be used to distribute malware or conduct phishing campaigns targeting European users. The lack of authentication requirement and the critical severity score mean that attackers can exploit this vulnerability at scale, increasing the risk of widespread incidents across European organizations that have not updated or mitigated the vulnerability.

Immediate mitigation steps include disabling the Podlove Podcast Publisher plugin until a secure patch is released. Organizations should monitor their WordPress installations for any unauthorized file uploads, especially in directories related to the plugin. Implementing web application firewalls (WAFs) with rules to detect and block suspicious file upload attempts can reduce risk. Restricting file upload permissions on the server and ensuring that uploaded files cannot be executed as scripts (e.g., by disabling execution permissions in upload directories) can limit the impact of exploitation. Regularly auditing server logs for unusual activity and scanning for web shells or unauthorized files is critical. Organizations should also enforce strict file type validation and sanitization in any custom or third-party plugins. Once a patch is available, prompt updating of the plugin to the fixed version is essential. Additionally, employing intrusion detection systems (IDS) and endpoint protection solutions that can detect exploitation attempts will enhance defense-in-depth.