Description
Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through <= 6.4.19.
Published: 2025-12-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Business Directory plugin for WordPress contains a CSRF flaw that permits malicious sites to trigger actions on behalf of an authenticated user. Because the plugin does not adequately verify request origins or include anti‑CSRF tokens, an attacker can submit forged requests that modify or delete directory entries, potentially exposing or tampering with business listings.

Affected Systems

Strategy11 Team Business Directory plugin, versions from the earliest release through and including 6.4.19, are affected. All earlier releases are also vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of < 1% points to a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. A likely attack vector involves a victim who is logged into WordPress and visits a malicious site that submits a forged request; no elevated privileges are required beyond those of a normal authenticated user.

Generated by OpenCVE AI on April 29, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Business Directory plugin to the latest release that resolves the CSRF flaw (any version newer than 6.4.19).
  • If an upgrade cannot be performed immediately, disable or remove the vulnerability‑exposed functionality of the plugin until a patch is applied.
  • As a temporary measure, implement a server‑side CSRF token (nonce) check for all state‑changing requests handled by the plugin, ensuring that only legitimate sessions can execute such actions.

Generated by OpenCVE AI on April 29, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Strategy11
Strategy11 business Directory Plugin
Wordpress
Wordpress wordpress
Vendors & Products Strategy11
Strategy11 business Directory Plugin
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through <= 6.4.19.
Title WordPress Business Directory plugin <= 6.4.19 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Strategy11 Business Directory Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:22.228Z

Reserved: 2025-12-09T12:21:48.325Z

Link: CVE-2025-67596

cve-icon Vulnrichment

Updated: 2025-12-09T21:15:39.885Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:37.890

Modified: 2026-04-27T18:16:46.030

Link: CVE-2025-67596

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:30:18Z

Weaknesses