CVE-2025-68069
Missing Authorization in wpWax Directorist β€ 8.5.10 Enables Unauthorized Access
Publication date: 2026-02-20
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpwax | directorist | to 8.5.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68069 is a medium priority Broken Access Control vulnerability in the WordPress Directorist Plugin versions up to and including 8.5.10.
The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions, which allows unprivileged users (such as subscribers or developers) to perform actions that normally require higher privileges.
This vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
Because of missing authorization checks, unprivileged users can perform actions that should be restricted to higher privilege roles.
This can lead to unauthorized access or modification of data, potentially compromising the security and integrity of your WordPress site.
The vulnerability has a CVSS score of 7.1, indicating a moderate severity and a significant likelihood of exploitation.
No official patch is currently available, but a mitigation rule from Patchstack can be applied to block attacks targeting this flaw.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2025-68069 is a Broken Access Control vulnerability in the WordPress Directorist Plugin that allows unprivileged users to perform actions requiring higher privileges due to missing authorization checks.
There is no specific detection command or signature provided in the available resources. However, monitoring for unusual privilege escalation attempts or unauthorized actions by low-privilege users within the Directorist plugin functions could help identify exploitation attempts.
Since no official patch is available, applying the mitigation rule provided by Patchstack is recommended to block attacks targeting this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the mitigation rule released by Patchstack to block attacks targeting this vulnerability.
Since no official patch is currently available for CVE-2025-68069, users should promptly implement this mitigation to secure their websites.
Additionally, monitoring and restricting unprivileged user actions within the Directorist plugin can help reduce risk until an official fix is issued.