CVE-2025-12174
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| directorist | business_directory_plugin | 8.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress. It is caused by missing capability checks on two AJAX actions ('directorist_prepare_listings_export_file' and 'directorist_type_slug_change') in all versions up to and including 8.5.2. Because of this, authenticated users with Subscriber-level access or higher can perform actions they should not be authorized to do, such as exporting listing details and changing the directorist slug.
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can exploit this vulnerability to export sensitive listing details without proper authorization and modify the directorist slug. This could lead to unauthorized data disclosure and potential manipulation of directory listings, impacting the integrity and confidentiality of the data.