Platform
wordpress
Component
wp-businessdirectory
Fixed in
3.1.3
CVE-2025-32629 describes an Arbitrary File Access vulnerability discovered in the WP-BusinessDirectory plugin for WordPress. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 3.1.2. A patch has been released in version 3.1.3.
The Arbitrary File Access vulnerability in WP-BusinessDirectory allows an attacker to read arbitrary files from the web server's file system. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the underlying server. While the vulnerability requires path manipulation, the ease of doing so makes it a significant risk, particularly on systems with default configurations or inadequate file permissions. The impact is amplified if the server hosts multiple websites or applications, increasing the potential blast radius.
CVE-2025-32629 was publicly disclosed on 2025-04-11. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are not widely available, but the path traversal nature of the vulnerability makes it relatively straightforward to exploit.
Exploit Status
EPSS
0.38% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-32629 is to immediately upgrade the WP-BusinessDirectory plugin to version 3.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the WordPress server. Specifically, limit the web server's ability to read files outside of the designated web root directory. Web Application Firewalls (WAFs) can be configured with rules to detect and block requests containing suspicious path traversal sequences (e.g., '../'). After upgrading, verify the fix by attempting to access a non-public file via a crafted URL; the request should be denied.
Actualice el plugin WP-BusinessDirectory a la última versión disponible para solucionar la vulnerabilidad de recorrido de ruta. Verifique las actualizaciones disponibles en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa del sitio antes de aplicar cualquier actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32629 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server running the WP-BusinessDirectory plugin. It impacts versions 0.0.0–3.1.2.
You are affected if your WordPress site uses the WP-BusinessDirectory plugin and is running version 3.1.2 or earlier. Check your plugin versions immediately.
Upgrade the WP-BusinessDirectory plugin to version 3.1.3 or later. If immediate upgrade is not possible, restrict file access permissions and consider WAF rules.
There is currently no confirmed evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the CMSJunkie website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.