CVE-2025-10744 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the File Manager, Code Editor, and Backup by Managefy plugin for WordPress. The flaw exists in all versions up to and including 1.6.1, where log files generated by the plugin are publicly accessible without authentication. These log files contain sensitive information such as full filesystem paths and backup file locations. Because these logs are exposed, unauthenticated attackers can retrieve this information, which can be leveraged to map the server's directory structure and identify backup files that may contain critical data. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality, with no direct impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant because it provides attackers with valuable reconnaissance data that can facilitate further exploitation or targeted attacks on the affected systems.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information, specifically full filesystem paths and backup file locations. This information leakage can aid attackers in planning more effective attacks, such as identifying critical files for exfiltration or exploiting other vulnerabilities that require knowledge of the server's directory structure. While the vulnerability does not directly compromise data integrity or availability, the exposure of backup file paths could lead to targeted attacks on backup data, potentially resulting in data theft or loss if combined with other vulnerabilities. Organizations using this plugin may face increased risk of targeted attacks, especially if their backups contain sensitive or regulated data. The medium severity rating reflects the moderate risk posed by information disclosure without immediate system compromise, but the ease of exploitation and lack of authentication requirements increase the urgency for mitigation.

1. Restrict access to log files by configuring web server permissions to prevent public access to directories containing logs generated by the plugin. 2. Implement web application firewall (WAF) rules to block unauthorized requests attempting to access log files or backup directories. 3. Monitor web server logs for unusual access patterns targeting log files or backup locations. 4. Disable or remove the File Manager, Code Editor, and Backup by Managefy plugin if it is not essential to reduce the attack surface. 5. Regularly audit and review file permissions and directory listings on the web server to ensure sensitive files are not publicly accessible. 6. Stay alert for official patches or updates from the vendor and apply them promptly once available. 7. Consider isolating backup files outside the web root or using secure storage solutions to prevent direct web access. 8. Educate administrators about the risks of exposing sensitive information through logs and the importance of secure configuration.