Description
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'.
Published: 2025-03-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized post publishing
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in the Directorist plugin for WordPress, where a missing capability check on the parse_query function allows any user, even unauthenticated, to change a post's status to publish. This flaw permits attackers to publish arbitrary content, potentially leading to defacement, phishing, or spam posts. The weakness corresponds to missing elevation of privilege, CWE‑862.

Affected Systems

Affected products are wpwax Directorist: AI‑Powered Business Directory Plugin, Listings & Classified Ads for WordPress versions up to and including 8.2. All earlier versions carry the same issue as the capability check is absent for all of them; any Post type served by this plugin can be altered by an attacker.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% points to low likelihood of current exploitation. However, because the flaw does not require authentication and affects content integrity, attackers can abuse it to post unwanted material. The vulnerability is not listed in CISA KEV, but its potential impact warrants immediate remediation.

Generated by OpenCVE AI on April 21, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Directorist plugin to version 8.3 or later where the capability check is implemented.
  • If upgrading is not immediately feasible, restrict the ability to change post status to trusted roles or remove the faulty capability check if possible.
  • Implement monitoring to detect sudden changes in post status or unexpected published content and alert administrators.

Generated by OpenCVE AI on April 21, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8049 The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'.
History

Mon, 31 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Mar 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'.
Title Directorist <= 8.2 - Missing Authorization to Unauthenticated Arbitrary Post Publishing
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:26.368Z

Reserved: 2025-03-11T17:29:40.677Z

Link: CVE-2025-2224

cve-icon Vulnrichment

Updated: 2025-03-31T18:18:24.651Z

cve-icon NVD

Status : Deferred

Published: 2025-03-25T06:15:41.327

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses