Description
Cross-Site Request Forgery (CSRF) vulnerability in Designinvento DirectoryPress directorypress allows Cross Site Request Forgery.This issue affects DirectoryPress: from n/a through <= 3.6.22.
Published: 2025-04-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that allows attackers to induce authenticated users to submit requests that perform actions the attacker intends. Because the flaw utilizes lack of CSRF protection in the DirectoryPress plugin, an attacker can execute spurious operations such as creating, editing, or deleting listings, or any other privileged action the plugin exposes. The weakness is identified as CWE‑352.

Affected Systems

Affected systems are installations of the Designinvento DirectoryPress WordPress plugin at version 3.6.22 or earlier. The plugin runs within any WordPress site that has it installed; no other versions are listed as affected.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium risk level, and the EPSS score of <1% suggests a low probability of real-world exploitation. The vulnerability is not catalogued in CISA’s KEV list. The likely attack vector is web traffic directed at the plugin’s endpoints, requiring the victim to be logged in, which means targeted or phishing attacks can trigger the exploit. Because exploitation requires an authenticated session, the impact is limited to the privileges of the target account, but could still lead to significant data tampering or defacement.

Generated by OpenCVE AI on May 1, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DirectoryPress to a version newer than 3.6.22.
  • If an upgrade cannot be performed immediately, disable the plugin or the specific feature that exposes the vulnerable endpoint until a patch is available.
  • Ensure the WordPress core and all other plugins are kept current and enforce HTTPS for all user authentication to reduce the window for CSRF attacks.

Generated by OpenCVE AI on May 1, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9796 Cross-Site Request Forgery (CSRF) vulnerability in designinvento DirectoryPress allows Cross Site Request Forgery. This issue affects DirectoryPress: from n/a through 3.6.19.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in designinvento DirectoryPress allows Cross Site Request Forgery. This issue affects DirectoryPress: from n/a through 3.6.19. Cross-Site Request Forgery (CSRF) vulnerability in Designinvento DirectoryPress directorypress allows Cross Site Request Forgery.This issue affects DirectoryPress: from n/a through <= 3.6.22.
Title WordPress DirectoryPress – Business Directory And Classified Ad Listing Plugin <=3.6.19 - Cross Site Request Forgery (CSRF) vulnerability WordPress DirectoryPress Plugin <= 3.6.22 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in designinvento DirectoryPress allows Cross Site Request Forgery. This issue affects DirectoryPress: from n/a through 3.6.19.
Title WordPress DirectoryPress – Business Directory And Classified Ad Listing Plugin <=3.6.19 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Designinvento Directorypress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:03:08.570Z

Reserved: 2025-04-04T10:02:07.011Z

Link: CVE-2025-32249

cve-icon Vulnrichment

Updated: 2025-04-04T20:12:52.842Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:34.123

Modified: 2026-04-23T15:28:50.093

Link: CVE-2025-32249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:30:04Z

Weaknesses