The vulnerability identified as CVE-2025-6586 affects the Download Plugin by metagauss for WordPress, specifically versions up to and including 2.2.8. The root cause is the absence of file type validation in the dpwap_plugin_locInstall function, which handles file uploads. This weakness allows an attacker with Administrator-level access to upload arbitrary files, including potentially malicious scripts, to the web server hosting the WordPress site. Because the attacker can upload files without restrictions on their type, they can place executable code on the server, leading to remote code execution (RCE). The vulnerability is classified under CWE-434, which pertains to unrestricted file upload vulnerabilities. The CVSS v3.1 base score is 7.2, indicating a high severity level, with the vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network with low attack complexity, requires high privileges (Administrator), no user interaction, and impacts confidentiality, integrity, and availability significantly. Although no known exploits are currently in the wild, the potential for exploitation is substantial given the nature of the vulnerability and the widespread use of WordPress and its plugins. The vulnerability affects all versions of the plugin up to 2.2.8, and no official patches have been linked yet, indicating the need for immediate attention by site administrators.

If exploited, this vulnerability allows attackers with Administrator access to upload arbitrary files, including web shells or other malicious payloads, enabling full remote code execution on the affected server. This can lead to complete compromise of the website and underlying server infrastructure, data theft, defacement, malware distribution, and use of the server as a pivot point for further attacks within an organization's network. The confidentiality of sensitive data stored or processed by the website can be breached, integrity of website content and backend systems compromised, and availability disrupted through destructive payloads or denial-of-service conditions. Given WordPress's popularity, many organizations worldwide could be impacted, especially those relying on this plugin for file downloads. The requirement for Administrator privileges limits exploitation to insiders or attackers who have already compromised an admin account, but such privilege escalation is common in targeted attacks. The lack of public exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once the vulnerability is public.

Organizations should immediately audit their WordPress installations to identify the presence of the metagauss Download Plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Restrict Administrator access strictly to trusted personnel and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts targeting this plugin's endpoints. Monitor server logs for unusual file upload activity or the presence of unexpected files, especially executable scripts in upload directories. Regularly back up website data and server configurations to enable recovery in case of compromise. Once a patch becomes available, apply it promptly. Additionally, consider employing file integrity monitoring solutions to detect unauthorized changes to web server files. Educate administrators about the risks of arbitrary file uploads and the importance of least privilege principles.