CVE-2025-10147 is a critical security vulnerability identified in the Podlove Podcast Publisher plugin for WordPress, affecting all versions up to and including 4.2.6. The root cause is the absence of proper file type validation in the 'move_as_original_file' function, which allows unauthenticated attackers to upload arbitrary files to the server hosting the affected WordPress site. This vulnerability is categorized under CWE-434, which pertains to unrestricted file upload vulnerabilities that can lead to severe consequences such as remote code execution (RCE). Because the plugin does not verify the file type or restrict the upload of potentially dangerous files, attackers can upload malicious scripts or executables. Once uploaded, these files can be executed remotely, allowing attackers to gain control over the server, manipulate data, or disrupt service availability. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 score of 9.8 reflects the critical nature of this vulnerability, with high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild yet, the ease of exploitation and potential damage make this a high-priority threat for organizations using this plugin. No official patches or updates are currently linked, indicating that users must apply alternative mitigations or monitor for updates from the vendor.

The impact of CVE-2025-10147 is severe for organizations worldwide using the Podlove Podcast Publisher plugin on WordPress. Successful exploitation can lead to remote code execution, enabling attackers to take full control of the affected web server. This can result in data breaches, website defacement, insertion of malicious content, or use of the compromised server as a pivot point for further attacks within the network. The confidentiality of sensitive information stored or processed by the website can be compromised, integrity of website content and backend data can be altered, and availability can be disrupted through denial-of-service or destructive actions. Given the widespread use of WordPress and the popularity of podcasting, many media companies, content creators, and businesses relying on this plugin are at risk. The vulnerability's unauthenticated nature means attackers can exploit it without any prior access, increasing the likelihood of automated scanning and exploitation attempts. The lack of current public exploits provides a window for mitigation, but the critical severity demands immediate attention to prevent potential widespread compromise.

1. Immediate action should include disabling the Podlove Podcast Publisher plugin until a secure patch or update is released by the vendor. 2. Restrict file upload permissions on the web server to prevent execution of uploaded files, such as disabling execution in upload directories via web server configuration (e.g., using .htaccess rules or equivalent). 3. Implement web application firewall (WAF) rules to detect and block suspicious file upload attempts targeting the vulnerable function or plugin endpoints. 4. Monitor server logs and WordPress activity logs for unusual file uploads or access patterns indicative of exploitation attempts. 5. If disabling the plugin is not feasible, restrict access to the upload functionality through IP whitelisting or authentication mechanisms to reduce exposure. 6. Regularly back up website data and server configurations to enable rapid recovery in case of compromise. 7. Stay updated with vendor communications for official patches and apply them promptly once available. 8. Conduct a security audit of the WordPress environment to identify and remediate any other potential vulnerabilities or misconfigurations that could be leveraged in conjunction with this flaw.