Platform
wordpress
Component
directorist
Opgelost in
8.6.7
CVE-2025-64250 describes an Open Redirect vulnerability within the Directorist WordPress plugin. This flaw allows attackers to redirect users to arbitrary, potentially malicious websites, posing a significant phishing risk. The vulnerability impacts versions from 0.0.0 up to and including 8.6.6, but has been resolved in version 8.6.7.
An attacker can exploit this Open Redirect vulnerability to craft deceptive links that appear legitimate but redirect users to phishing sites designed to steal credentials or install malware. The attacker could embed these malicious links in emails, social media posts, or even on compromised websites. Successful redirection can lead to credential theft, malware infection, and further compromise of user accounts and systems. The blast radius extends to all users who interact with Directorist-powered websites and click on these crafted links, particularly if they trust the originating source.
CVE-2025-64250 was published on December 16, 2025. Severity is currently assessed as Medium (CVSS 4.7). No public Proof-of-Concept (POC) exploits have been publicly disclosed at the time of writing. There are no indications of active campaigns targeting this vulnerability, but the ease of exploitation means it remains a potential threat.
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-64250 is to immediately upgrade the Directorist plugin to version 8.6.7 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out redirect requests to suspicious domains. Carefully review and sanitize any user-supplied input used in redirect URLs to prevent malicious manipulation. Monitor web server logs for unusual redirect patterns that might indicate exploitation attempts.
Update to version 8.6.7, or a newer patched version
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-64250 is a vulnerability in the Directorist WordPress plugin allowing attackers to redirect users to malicious websites via crafted links, potentially leading to phishing attacks.
If you are using Directorist version 0.0.0 through 8.6.6, you are affected by this vulnerability. Upgrade to 8.6.7 or later to mitigate the risk.
The recommended fix is to upgrade the Directorist plugin to version 8.6.7 or a later version. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation means it remains a potential threat.
Refer to the official Directorist plugin website and WordPress plugin repository for the latest security advisory and update information regarding CVE-2025-64250.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.