CVE-2025-67975
Awaiting Analysis Awaiting Analysis - Queue
Missing Authorization in aDirectory ≀ 3.0.3 Enables Unauthorized Access

Publication date: 2026-02-20

Last updated on: 2026-04-27

Assigner: Patchstack

Description
Missing Authorization vulnerability in aDirectory aDirectory adirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects aDirectory: from n/a through <= 3.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67975
EUVD
EUVD-2025-208046
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack adirectory to 3.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67975 is a medium severity Broken Access Control vulnerability in the WordPress aDirectory plugin versions up to and including 3.0.3.

The issue is caused by missing authorization, authentication, or nonce token checks in certain functions, which allows unprivileged users (such as subscribers or developers) to perform actions that should be restricted to higher privileged roles.

This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

This vulnerability allows unprivileged users to perform actions reserved for higher privileged roles, potentially leading to unauthorized changes or access within the WordPress site using the aDirectory plugin.

Because of the missing authorization checks, attackers could exploit this to manipulate site content, settings, or data, which could compromise the integrity and security of the website.

The vulnerability has a CVSS score of 6.5, indicating a moderate risk and a reasonable likelihood of exploitation.

Users are strongly advised to update the plugin to version 3.0.4 or later to mitigate this risk.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from missing authorization and authentication checks in the aDirectory WordPress plugin up to version 3.0.3, allowing unprivileged users to perform privileged actions.

Detection can involve monitoring for unusual privilege escalation attempts or unauthorized actions performed by low-privileged users within the WordPress environment.

Patchstack provides continuous security monitoring for WordPress sites which can help detect exploitation attempts targeting this vulnerability.

Specific commands are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update the aDirectory plugin to version 3.0.4 or later, where the vulnerability has been patched.

Until the update can be applied, Patchstack provides an immediate mitigation rule to block attacks targeting this vulnerability.

Additionally, enabling automatic updates for vulnerable plugins and using continuous security monitoring can help protect your WordPress site.

Users are strongly advised to apply the patch promptly to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67975. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart