プラットフォーム
wordpress
コンポーネント
business-directory-plugin
修正版
6.4.20
CVE-2025-67596 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Strategy11 Team Business Directory WordPress plugin. A CSRF attack allows an attacker to trick a user into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions within the plugin. This vulnerability impacts versions from 0.0.0 through 6.4.19, but a patch is available in version 6.4.20.
The CSRF vulnerability in Business Directory allows an attacker to execute actions on behalf of an authenticated user without their knowledge or consent. This could involve creating, modifying, or deleting business listings, changing user roles, or performing other administrative tasks. The impact is directly proportional to the privileges of the user being impersonated. A malicious actor could leverage this to gain control over the plugin's functionality and potentially compromise the entire WordPress site if the plugin has elevated privileges or access to sensitive data. The blast radius extends to any user with access to the Business Directory plugin, particularly administrators.
CVE-2025-67596 was publicly disclosed on 2025-12-09. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the ease of CSRF exploitation and the potential impact on WordPress sites using the Business Directory plugin.
WordPress websites utilizing the Strategy11 Team Business Directory plugin, particularly those running versions 0.0.0 through 6.4.19, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable, as are sites with limited security controls and a high volume of user traffic.
• wordpress / composer / npm:
grep -r 'business-directory-plugin' /var/www/html/
wp plugin list | grep business-directory• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=business_directory_some_functiondisclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-67596 is to immediately upgrade the Business Directory WordPress plugin to version 6.4.20 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can validate that requests originate from the expected source. Additionally, ensure that all user input is properly validated and sanitized to prevent malicious code injection. After upgrading, confirm the fix by attempting to trigger a CSRF attack using a tool like Burp Suite and verifying that the request is blocked or fails.
バージョン 6.4.20、またはそれ以降の修正バージョンにアップデートする
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-67596 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Strategy11 Team Business Directory WordPress plugin, allowing attackers to perform unauthorized actions.
Yes, if you are using the Business Directory WordPress plugin in versions 0.0.0 through 6.4.19, you are vulnerable to this CSRF attack.
Upgrade the Business Directory WordPress plugin to version 6.4.20 or later. Consider a WAF as a temporary mitigation if upgrading is not immediately possible.
There are currently no known active exploits, but the ease of CSRF exploitation warrants prompt patching.
Refer to the Strategy11 Team's official website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。