CVE-2025-10744 is a medium-severity vulnerability affecting the WordPress plugin 'File Manager, Code Editor, and Backup by Managefy' developed by softdiscover. The vulnerability is classified under CWE-200, which involves the exposure of sensitive information to unauthorized actors. Specifically, this flaw exists in all versions up to and including 1.6.1 of the plugin. The issue arises because certain log files generated by the plugin are publicly accessible without authentication. These log files contain sensitive information such as full filesystem paths and backup file locations. An unauthenticated attacker can exploit this exposure by simply accessing these log files over the web, thereby gaining insights into the server's directory structure and backup file locations. This information disclosure does not require any user interaction or privileges and can be performed remotely over the network. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), confidentiality impact limited to partial information disclosure (C:L), and no impact on integrity or availability (I:N/A:N). Although no known exploits are currently reported in the wild, the publicly accessible nature of the logs makes this vulnerability a potential target for reconnaissance by attackers aiming to gather information for further exploitation.

For European organizations using WordPress sites with the affected plugin, this vulnerability could facilitate information gathering by attackers. Exposure of full filesystem paths and backup file locations can aid attackers in crafting targeted attacks such as directory traversal, privilege escalation, or backup file theft. Organizations handling sensitive or regulated data may face increased risk of data breaches or compliance violations if attackers leverage this information to access protected resources. While the vulnerability itself does not directly allow code execution or data modification, the disclosed information can be a stepping stone in multi-stage attacks. This is particularly relevant for sectors such as finance, healthcare, and government within Europe, where data protection regulations like GDPR impose strict requirements on safeguarding sensitive information. Additionally, the ease of exploitation without authentication increases the risk surface for publicly accessible WordPress sites, which are widely used across European businesses and institutions.

To mitigate this vulnerability, organizations should immediately update the 'File Manager, Code Editor, and Backup by Managefy' plugin to a patched version once released by the vendor. Until a patch is available, administrators should restrict access to the plugin's log files by implementing web server-level access controls such as .htaccess rules or equivalent configurations to deny public access. Additionally, reviewing and minimizing the logging verbosity to avoid storing sensitive path information in publicly accessible locations is recommended. Employing a web application firewall (WAF) with rules to block unauthorized access to sensitive plugin directories can provide an additional layer of defense. Regularly auditing WordPress plugins for security updates and removing unused or unsupported plugins reduces exposure. Finally, monitoring web server logs for unusual access patterns to plugin directories can help detect exploitation attempts early.