CVE-2025-67975
Missing Authorization in aDirectory β€ 3.0.3 Enables Unauthorized Access
Publication date: 2026-02-20
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | adirectory | to 3.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67975 is a medium severity Broken Access Control vulnerability in the WordPress aDirectory plugin versions up to and including 3.0.3.
The issue is caused by missing authorization, authentication, or nonce token checks in certain functions, which allows unprivileged users (such as subscribers or developers) to perform actions that should be restricted to higher privileged roles.
This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability allows unprivileged users to perform actions reserved for higher privileged roles, potentially leading to unauthorized changes or access within the WordPress site using the aDirectory plugin.
Because of the missing authorization checks, attackers could exploit this to manipulate site content, settings, or data, which could compromise the integrity and security of the website.
The vulnerability has a CVSS score of 6.5, indicating a moderate risk and a reasonable likelihood of exploitation.
Users are strongly advised to update the plugin to version 3.0.4 or later to mitigate this risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization and authentication checks in the aDirectory WordPress plugin up to version 3.0.3, allowing unprivileged users to perform privileged actions.
Detection can involve monitoring for unusual privilege escalation attempts or unauthorized actions performed by low-privileged users within the WordPress environment.
Patchstack provides continuous security monitoring for WordPress sites which can help detect exploitation attempts targeting this vulnerability.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the aDirectory plugin to version 3.0.4 or later, where the vulnerability has been patched.
Until the update can be applied, Patchstack provides an immediate mitigation rule to block attacks targeting this vulnerability.
Additionally, enabling automatic updates for vulnerable plugins and using continuous security monitoring can help protect your WordPress site.
Users are strongly advised to apply the patch promptly to prevent exploitation.