Platform
wordpress
Component
directorist
Fixed in
8.6.7
CVE-2025-68069 describes a missing authorization vulnerability within the Directorist WordPress plugin. This flaw allows attackers to exploit incorrectly configured access control security levels, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions of Directorist from 0.0.0 through 8.6.6, and a fix is available in version 8.6.7.
The impact of this missing authorization vulnerability is significant, as it allows attackers to bypass access controls and potentially gain access to sensitive data managed by the Directorist plugin. This could include user information, directory listings, and other critical data. An attacker could leverage this vulnerability to modify data, create unauthorized listings, or even gain administrative access to the WordPress site, depending on the plugin's configuration and the attacker's skill. The blast radius extends to any WordPress site utilizing the vulnerable Directorist plugin, potentially exposing a wide range of data and functionality.
The vulnerability was published on 2026-02-20. As of this date, there is no public evidence of active exploitation campaigns targeting CVE-2025-68069. The vulnerability's severity is rated as HIGH (7.1 CVSS), indicating a significant potential for exploitation if left unaddressed. No KEV or EPSS score is currently available.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68069 is to immediately upgrade the Directorist plugin to version 8.6.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter access control rules within the WordPress environment to limit the potential impact of the vulnerability. While not a complete fix, this can reduce the attack surface. Review and audit the plugin's configuration to ensure that access controls are properly enforced. After upgrading, verify the fix by attempting to access restricted resources without proper authentication to confirm that the vulnerability has been successfully patched.
Update to version 8.6.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68069 is a HIGH severity authorization flaw in the Directorist WordPress plugin, allowing attackers to bypass access controls due to incorrectly configured security levels.
You are affected if you are using Directorist versions 0.0.0 through 8.6.6. Check your plugin version using wp plugin list | grep Directorist.
Upgrade the Directorist plugin to version 8.6.7 or later. If immediate upgrade is not possible, implement stricter access control rules within WordPress.
As of 2026-02-20, there is no public evidence of active exploitation campaigns targeting CVE-2025-68069.
Refer to the Directorist plugin website and WordPress plugin repository for the official advisory and update information related to CVE-2025-68069.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.