CVE-2025-10488

HIGH

The Directorist: AI-Powered Business Directory Plugin with Classifi...

Title source: llm

Description

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/directorist/tags/8.4.5/includes/classes/class-add-listing.php#L634

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377181%40directorist&new=3377181%40directorist&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/2249ef72-9955-4636-b32f-e88720923268?source=cve

Scores

CVSS v3 8.1

EPSS 0.0076

EPSS Percentile 50.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

wpwax/Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings < 8.4.8

wpwax/Directorist: AI-Powered Business Directory, Listings & Classified Ads < 8.4.8

Published Oct 25, 2025

Tracked Since Feb 18, 2026