Arbitrary File Upload Vulnerability in Download Plugin for WordPress
CVE-2025-6586

7.2HIGH

Key Information:

Vendor: WordPress
Status: Download Plugin
Vendor: CVE Published:; 4 July 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-6586?

The Download Plugin for WordPress is susceptible to an arbitrary file upload vulnerability due to a lack of sufficient file type validation in the dpwap_plugin_locInstall function. This issue exists across all versions up to and including 2.2.8. Authenticated users with Administrator-level access can exploit this vulnerability to upload arbitrary files to the server, which may lead to potential remote code execution. Website administrators should ensure that they apply security updates and monitor file upload activities to mitigate this risk.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-6586
Created by d0n601

References

https://plugins.trac.wordpress.org/browser/download-plugi...

https://www.wordfence.com/threat-intel/vulnerabilities/id...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 4, 2025
🟡
Public PoC available
Jun 25, 2025
👾
Exploit known to exist
Jun 25, 2025