CVE-2025-10754 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the DocoDoco Store Locator plugin for WordPress, developed by geolocationtechnology. The vulnerability arises from the plugin's failure to validate file types during the zip file upload process, allowing authenticated users with Editor-level or higher permissions to upload arbitrary files to the web server. Since Editors and above typically have content management privileges, this access level is sufficient to exploit the vulnerability. The lack of file type validation means that attackers can upload malicious files, such as web shells or scripts, which can then be executed remotely, leading to remote code execution (RCE). The CVSS v3.1 base score of 7.2 reflects a high severity, with attack vector being network-based (AV:N), low attack complexity (AC:L), requiring privileges (PR:H), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability affects all versions of the plugin up to and including 1.0.1, with no patches currently available. Although no known exploits are reported in the wild, the vulnerability's characteristics make it a significant risk for WordPress sites using this plugin, especially those with multiple users having Editor or higher roles. The threat is exacerbated by the widespread use of WordPress in e-commerce and business websites, where such a compromise could lead to data breaches, defacement, or full server takeover.

For European organizations, the impact of CVE-2025-10754 can be severe. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the affected server. This can result in unauthorized data access or exfiltration, website defacement, disruption of services, and potential lateral movement within the organization's network. Given the plugin's use in store locator functionalities, e-commerce and retail businesses are particularly vulnerable, risking customer data exposure and loss of trust. The compromise of web servers can also serve as a pivot point for further attacks against internal systems. Additionally, regulatory frameworks such as GDPR impose strict data protection requirements; a breach resulting from this vulnerability could lead to significant legal and financial penalties. The high prevalence of WordPress in Europe, combined with the common use of plugins like DocoDoco Store Locator, increases the exposure of organizations, especially those with multiple content editors or administrators who have the required privileges to exploit this flaw.

1. Immediately restrict access to the DocoDoco Store Locator plugin's upload functionality to only the most trusted users, preferably limiting Editor-level and above roles until a patch is available. 2. Implement strict monitoring and logging of file uploads, especially zip files, to detect any unauthorized or suspicious activity. 3. Employ web application firewalls (WAFs) with custom rules to block or alert on suspicious file upload patterns or execution of unauthorized scripts. 4. Disable or remove the DocoDoco Store Locator plugin if it is not essential to business operations. 5. Regularly audit user roles and permissions in WordPress to minimize the number of users with Editor or higher privileges. 6. Use file integrity monitoring tools to detect unauthorized changes or uploads on the web server. 7. Stay informed about vendor updates and apply patches promptly once released. 8. Consider isolating the WordPress environment using containerization or sandboxing to limit the impact of potential exploitation. 9. Conduct penetration testing focused on file upload functionalities to identify similar vulnerabilities proactively.