CVE-2025-10488
BaseFortify
Publication date: 2025-10-25
Last updated on: 2025-10-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| directorist | directorist | 8.4.5 |
| directorist | directorist | 8.4.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to move arbitrary files on the server without authentication. This can lead to remote code execution if critical files such as wp-config.php are moved or replaced. Remote code execution can allow attackers to take full control of the affected WordPress site, leading to data theft, site defacement, malware installation, or further attacks on the hosting environment. [1]
Can you explain this vulnerability to me?
The vulnerability in the Directorist WordPress plugin (up to version 8.4.8) is due to insufficient validation of file paths in the add_listing_action AJAX action. This flaw allows unauthenticated attackers to move arbitrary files on the server. Because the plugin handles listing submissions and image uploads, improper sanitization of file names and paths can be exploited to manipulate files, potentially moving critical files like wp-config.php. This can lead to remote code execution if an attacker moves or replaces files that the server executes or reads. The vulnerability arises from inadequate checks on uploaded file names and paths, which was later fixed by improving filename sanitization. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized or suspicious AJAX requests to the 'add_listing_action' endpoint in the Directorist plugin, especially those attempting to move files or upload images without proper authorization. You can check your web server logs for POST requests to admin-ajax.php with the action parameter set to 'add_listing_action'. For example, using grep on an Apache or Nginx access log: 1. grep 'add_listing_action' /var/log/apache2/access.log 2. grep 'add_listing_action' /var/log/nginx/access.log Additionally, inspecting WordPress debug logs or enabling logging for AJAX actions may help identify suspicious activity. Since the vulnerability involves arbitrary file moves via insufficient file path validation, look for unusual file operations or unexpected changes in critical files like wp-config.php. There are no specific commands provided in the resources, but monitoring AJAX requests and file changes related to the Directorist plugin is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Directorist plugin to version 8.4.9 or later, as this version includes a security fix that improves filename sanitization to prevent arbitrary file moves and file manipulation attacks. This update applies the sanitize_file_name() function to uploaded filenames, enforcing stricter validation and mitigating the vulnerability. Additionally, ensure your WordPress installation and PHP version meet the plugin requirements (PHP 7.0 or higher). If updating immediately is not possible, restrict access to the AJAX actions related to listing submissions and uploads, and monitor for suspicious activity as a temporary measure. [2]