Scan free
HIGHCVE-2025-32629CVSS 8.6

CVE-2025-32629: Arbitrary File Access in WP-BusinessDirectory

Platform

wordpress

Component

wp-businessdirectory

Fixed in

3.1.3

AI Confidence: highNVDEPSS 0.4%Reviewed: May 2026
View on NVD
Save

CVE-2025-32629 describes an Arbitrary File Access vulnerability discovered in the WP-BusinessDirectory plugin for WordPress. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 3.1.2. A patch has been released in version 3.1.3.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The Arbitrary File Access vulnerability in WP-BusinessDirectory allows an attacker to read arbitrary files from the web server's file system. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the underlying server. While the vulnerability requires path manipulation, the ease of doing so makes it a significant risk, particularly on systems with default configurations or inadequate file permissions. The impact is amplified if the server hosts multiple websites or applications, increasing the potential blast radius.

Exploitation Context

CVE-2025-32629 was publicly disclosed on 2025-04-11. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are not widely available, but the path traversal nature of the vulnerability makes it relatively straightforward to exploit.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.38% (59% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H8.6HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentwp-businessdirectory
VendorCMSJunkie - WordPress Business Directory Plugins
Affected rangeFixed in
0.0.0 – 3.1.23.1.3

Package Information

Active installs
40
Plugin rating
4.5
Requires WordPress
4.9+
Compatible up to
6.9.4
Requires PHP
7.4+
Homepage

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-32629 is to immediately upgrade the WP-BusinessDirectory plugin to version 3.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the WordPress server. Specifically, limit the web server's ability to read files outside of the designated web root directory. Web Application Firewalls (WAFs) can be configured with rules to detect and block requests containing suspicious path traversal sequences (e.g., '../'). After upgrading, verify the fix by attempting to access a non-public file via a crafted URL; the request should be denied.

How to fix

Actualice el plugin WP-BusinessDirectory a la última versión disponible para solucionar la vulnerabilidad de recorrido de ruta.  Verifique las actualizaciones disponibles en el panel de administración de WordPress o a través del repositorio de plugins de WordPress.  Asegúrese de realizar una copia de seguridad completa del sitio antes de aplicar cualquier actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-32629 — Arbitrary File Access in WP-BusinessDirectory?

CVE-2025-32629 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server running the WP-BusinessDirectory plugin. It impacts versions 0.0.0–3.1.2.

Am I affected by CVE-2025-32629 in WP-BusinessDirectory?

You are affected if your WordPress site uses the WP-BusinessDirectory plugin and is running version 3.1.2 or earlier. Check your plugin versions immediately.

How do I fix CVE-2025-32629 in WP-BusinessDirectory?

Upgrade the WP-BusinessDirectory plugin to version 3.1.3 or later. If immediate upgrade is not possible, restrict file access permissions and consider WAF rules.

Is CVE-2025-32629 being actively exploited?

There is currently no confirmed evidence of active exploitation, but the vulnerability's nature makes it a potential target.

Where can I find the official WP-BusinessDirectory advisory for CVE-2025-32629?

Refer to the CMSJunkie website and WordPress plugin repository for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs