Platform
wordpress
Component
directorist
Fixed in
8.4.9
CVE-2025-10488 describes an arbitrary file access vulnerability affecting the Directorist: AI-Powered Business Directory plugin for WordPress, specifically versions from 0.0.0 up to and including 8.4.8. This flaw allows unauthenticated attackers to manipulate file paths, potentially leading to the movement of critical system files. Successful exploitation could result in remote code execution, compromising the entire WordPress installation. A patch is available in version 8.4.9.
The primary impact of CVE-2025-10488 is the potential for remote code execution (RCE). An attacker can exploit this vulnerability by manipulating the file path within the addlistingaction AJAX action. By strategically moving files, such as wp-config.php, they can gain access to sensitive configuration data, including database credentials. This access can then be leveraged to execute arbitrary code on the server, effectively taking control of the WordPress site. The ease of exploitation, combined with the potential for complete system compromise, makes this a significant security risk. This vulnerability resembles other file manipulation flaws where attackers exploit insufficient input validation to gain unauthorized access and control.
CVE-2025-10488 was publicly disclosed on 2025-10-25. There is no indication of this vulnerability being actively exploited in the wild at this time. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature suggests that a PoC is likely to emerge. It is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation for CVE-2025-10488 is to immediately upgrade the Directorist plugin to version 8.4.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file upload permissions, implementing stricter file path validation on the server-side, and disabling the addlistingaction AJAX action if it is not essential. Web application firewalls (WAFs) can be configured to block requests containing suspicious file path manipulations. After upgrading, verify the fix by attempting to access sensitive files through the vulnerable AJAX endpoint and confirming that access is denied.
Actualice el plugin Directorist a la última versión disponible para solucionar la vulnerabilidad de movimiento arbitrario de archivos. Verifique las actualizaciones disponibles en el panel de administración de WordPress o en el repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10488 is a HIGH severity vulnerability in the Directorist WordPress plugin allowing unauthenticated attackers to move files, potentially leading to RCE. It affects versions 0.0.0–8.4.8.
Yes, if you are using Directorist plugin versions 0.0.0 through 8.4.8, you are affected by this vulnerability. Upgrade immediately.
Upgrade the Directorist plugin to version 8.4.9 or later to patch the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests a PoC is likely to emerge.
Refer to the official Directorist plugin website or WordPress plugin directory for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.