Platform
wordpress
Component
business-directory-plugin
Fixed in
6.4.20
CVE-2025-67596 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Strategy11 Team Business Directory WordPress plugin. A CSRF attack allows an attacker to trick a user into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions within the plugin. This vulnerability impacts versions from 0.0.0 through 6.4.19, but a patch is available in version 6.4.20.
The CSRF vulnerability in Business Directory allows an attacker to execute actions on behalf of an authenticated user without their knowledge or consent. This could involve creating, modifying, or deleting business listings, changing user roles, or performing other administrative tasks. The impact is directly proportional to the privileges of the user being impersonated. A malicious actor could leverage this to gain control over the plugin's functionality and potentially compromise the entire WordPress site if the plugin has elevated privileges or access to sensitive data. The blast radius extends to any user with access to the Business Directory plugin, particularly administrators.
CVE-2025-67596 was publicly disclosed on 2025-12-09. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the ease of CSRF exploitation and the potential impact on WordPress sites using the Business Directory plugin.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67596 is to immediately upgrade the Business Directory WordPress plugin to version 6.4.20 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can validate that requests originate from the expected source. Additionally, ensure that all user input is properly validated and sanitized to prevent malicious code injection. After upgrading, confirm the fix by attempting to trigger a CSRF attack using a tool like Burp Suite and verifying that the request is blocked or fails.
Update to version 6.4.20, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67596 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Strategy11 Team Business Directory WordPress plugin, allowing attackers to perform unauthorized actions.
Yes, if you are using the Business Directory WordPress plugin in versions 0.0.0 through 6.4.19, you are vulnerable to this CSRF attack.
Upgrade the Business Directory WordPress plugin to version 6.4.20 or later. Consider a WAF as a temporary mitigation if upgrading is not immediately possible.
There are currently no known active exploits, but the ease of CSRF exploitation warrants prompt patching.
Refer to the Strategy11 Team's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.