CVE-2025-10754
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| docodoco | store_locator | 1.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the DocoDoco Store Locator WordPress plugin (up to version 1.0.1) allows authenticated users with Editor-level access or higher to upload arbitrary files via the ZIP upload functionality. This happens because the plugin lacks proper file type validation during ZIP import, enabling attackers to upload malicious files to the server. The vulnerability stems from insufficient validation or sanitization in the ZIP import process, which handles importing store data and images from ZIP archives. This can lead to unauthorized file operations and potentially remote code execution on the affected site. [2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Editor-level access or higher to upload arbitrary files to the server hosting the WordPress site. Such file uploads can lead to remote code execution, allowing the attacker to run malicious code on the server. This can compromise the website's integrity, confidentiality, and availability, potentially leading to data theft, site defacement, or full server takeover.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious ZIP file uploads to the Docodoco Store Locator plugin's import functionality, especially from users with Editor-level access or higher. Since the vulnerability allows arbitrary file uploads via the ZIP import, you can look for unusual POST requests to the plugin's ZIP upload endpoint. Commands to detect such activity might include inspecting web server logs for POST requests containing ZIP files, for example using grep: `grep -i 'POST' /var/log/apache2/access.log | grep '.zip'` or monitoring WordPress upload directories for unexpected files. Additionally, scanning the uploads/store-images/ directory for files with unexpected extensions or recently modified files could help. However, no specific commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the ZIP import functionality in the Docodoco Store Locator plugin until a patch is applied. Limit Editor-level and above user permissions to trusted users only. Monitor and audit uploaded files in the /uploads/store-images/ directory for unauthorized or suspicious files. Applying updates or patches from the plugin developer that fix the missing file type validation is critical. If no patch is available, consider removing or disabling the plugin temporarily to prevent exploitation. [2]