Description
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Published: 2025-10-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The Directorist plugin for WordPress is vulnerable to an arbitrary file move due to insufficient file path validation in the add_listing_action AJAX request. An attacker can instruct the server to move any file on the hosting file system, which can lead to remote code execution if a critical file such as "wp-config.php" is moved into a web‑accessible location. The weakness matches CWE-22 because the plugin allows path traversal.

Affected Systems

WordPress sites that have the Directorist AI‑Powered Business Directory plugin from wpwax, any release version up to and including 8.4.8 are affected. The vulnerability is present in all documented versions of the plugin up to that point.

Risk and Exploitability

This flaw carries a CVSS score of 8.1 and an EPSS score of less than 1 %. It is not currently listed in the CISA KEV catalog. The description indicates that unauthenticated users can exploit the flaw, whereas the CVE title suggests subscriber‑level authentication may be required; the precise required privileges remain unclear. If an attacker succeeds, they can move arbitrary files on the server, enabling remote code execution by displacing a malicious script into a web‑reachable directory or by altering configuration files.

Generated by OpenCVE AI on April 22, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Directorist plugin to a version newer than 8.4.8 that fixes the file‑path validation bug.
  • If an upgrade is not immediately possible, restrict or disable the add_listing_action AJAX endpoint for unauthenticated users or restrict its allowed file paths to prevent arbitrary file movement.
  • After applying a fix or restriction, verify that crucial files such as "wp-config.php" are not writable by the web server and review file permissions to mitigate the risk of unauthorized changes.

Generated by OpenCVE AI on April 22, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpwax
Wpwax directorist
Vendors & Products Wordpress
Wordpress wordpress
Wpwax
Wpwax directorist

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Title Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.4.8 - Authenticated (Subscriber+) Arbitrary File Move
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpwax Directorist
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:39.661Z

Reserved: 2025-09-15T14:42:08.792Z

Link: CVE-2025-10488

cve-icon Vulnrichment

Updated: 2025-10-27T15:54:09.339Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T07:15:37.323

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:00:18Z

Weaknesses