The vulnerability identified as CVE-2025-10754 affects the DocoDoco Store Locator plugin for WordPress, specifically versions up to 1.0.1. The root cause is a CWE-434 weakness: unrestricted upload of files with dangerous types due to missing validation on the zip upload functionality. This flaw permits authenticated users with Editor-level privileges or higher to upload arbitrary files to the web server hosting the WordPress site. Since the plugin does not properly validate or restrict the types of files uploaded within zip archives, attackers can upload malicious scripts or executables. Once uploaded, these files can be executed remotely, potentially leading to remote code execution (RCE). The vulnerability requires authentication with elevated privileges but does not require additional user interaction, making it easier for insiders or compromised accounts to exploit. The CVSS v3.1 base score is 7.2, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patches or fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. The vulnerability is significant because WordPress powers a large portion of websites globally, and plugins like DocoDoco Store Locator are commonly used for e-commerce and retail location services, making affected sites attractive targets for attackers seeking to gain server-level access.

If exploited, this vulnerability could allow attackers to execute arbitrary code on the web server, leading to full compromise of the affected WordPress site and potentially the underlying server infrastructure. This can result in data theft, defacement, installation of backdoors, pivoting to internal networks, and disruption of services. The integrity and confidentiality of sensitive customer and business data could be severely impacted. Availability may also be affected if attackers deploy ransomware or launch denial-of-service conditions. Organizations relying on this plugin for store location services risk reputational damage and regulatory penalties if customer data is exposed. Since exploitation requires Editor-level access, compromised or malicious insiders pose a significant threat. The lack of current known exploits provides a window for remediation, but the ease of exploitation once access is obtained makes this a critical risk for organizations with multiple WordPress users having elevated privileges.

Organizations should immediately audit user roles and restrict Editor-level and higher privileges to trusted personnel only. Disable or remove the DocoDoco Store Locator plugin if it is not essential. Monitor file upload directories for suspicious files, especially those uploaded via zip archives. Implement web application firewalls (WAFs) with rules to detect and block malicious file uploads and execution attempts. Employ file integrity monitoring to detect unauthorized changes. Regularly update WordPress core, plugins, and themes once a patch for this vulnerability is released. In the absence of an official patch, consider applying custom filters or code to validate and restrict file types during uploads. Conduct security awareness training for administrators about the risks of privilege misuse. Review server logs for unusual activity indicative of exploitation attempts. Segregate WordPress hosting environments to limit lateral movement if compromise occurs.