CVE-2025-0316

CRITICAL

WP Directorybox Manager <2.5 - Auth Bypass

Title source: llm

Description

The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Exploits (1)

nomisec WORKING POC 1 stars

by MrPayloadC · poc

https://github.com/MrPayloadC/CVE-2025-0316-Exploit

View Code ZIP pw:eip

References (2)

[Various Sources] https://themeforest.net/item/directory-multipurpose-wordpress-theme/10480929

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/3ee1f412-7555-4dec-ba59-49412471a42f?source=cve

Scores

CVSS v3 9.8

EPSS 0.0016

EPSS Percentile 36.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-288

Status published

Products (1)

Chimpstudio/WP Directorybox Manager < 2.5

Published Feb 08, 2025

Tracked Since Feb 18, 2026