CVE-2025-0316

CRITICAL

WP Directorybox Manager <2.5 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-0316. PoCs published by MrPayloadC.

AI-analyzed exploit summary This is a functional exploit for CVE-2025-0316, targeting an authentication bypass vulnerability in the WordPress plugin WP Directorybox Manager <= 2.5. It automates user enumeration and session hijacking via a vulnerable AJAX action.

Description

The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Exploits (1)

nomisec WORKING POC 1 stars
by MrPayloadC · poc
https://github.com/MrPayloadC/CVE-2025-0316-Exploit

This is a functional exploit for CVE-2025-0316, targeting an authentication bypass vulnerability in the WordPress plugin WP Directorybox Manager <= 2.5. It automates user enumeration and session hijacking via a vulnerable AJAX action.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress Plugin WP Directorybox Manager <= 2.5
No auth needed
Prerequisites: Target running WordPress with vulnerable plugin · Access to wp-admin/admin-ajax.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0069
EPSS Percentile 47.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-288
Status published
Products (1)
Chimpstudio/WP Directorybox Manager < 2.5
Published Feb 08, 2025
Tracked Since Feb 18, 2026