Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10488

CVE-2025-10488: WordPress Directorist Plugin RCE Vulnerability

CVE-2025-10488 is a remote code execution vulnerability in the WordPress Directorist plugin that allows unauthenticated attackers to move arbitrary files. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-10488 Overview

CVE-2025-10488 affects the Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress. The flaw resides in the add_listing_action AJAX handler, which fails to validate file paths before moving files on the server. All versions up to and including 8.4.8 are affected. Authenticated attackers with minimal privileges can move arbitrary files anywhere on the filesystem. Relocating sensitive files such as wp-config.php exposes database credentials and authentication keys, and can be chained into remote code execution. The weakness is classified as Path Traversal [CWE-22].

Critical Impact

Attackers can move arbitrary server files, including wp-config.php, enabling credential exposure and remote code execution on affected WordPress sites.

Affected Products

  • Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress
  • All versions up to and including 8.4.8
  • WordPress sites running the vulnerable Directorist plugin

Discovery Timeline

  • 2025-10-25 - CVE-2025-10488 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-10488

Vulnerability Analysis

The Directorist plugin exposes the add_listing_action AJAX endpoint to handle listing submissions, including image and attachment uploads. The handler accepts file path parameters from the request and passes them into a file move operation without enforcing that the source and destination paths remain within the plugin's expected upload directory. Because the AJAX action is registered for low-privilege users, an attacker only needs a basic authenticated session to invoke it.

The Wordfence advisory and the plugin source reference at includes/classes/class-add-listing.php line 634 confirm the missing validation in the file move logic. Once an attacker can relocate files on the server, they can break WordPress integrity, overwrite plugin files, or stage code into web-accessible paths. Moving wp-config.php to a public location exposes database credentials, secret keys, and salts, which can be reused to compromise the database or forge authenticated sessions.

Root Cause

The root cause is insufficient validation of user-controlled file paths passed to the file move routine inside add_listing_action. The plugin trusts client-supplied source and destination values rather than constraining them to a known upload directory.

Attack Vector

Exploitation occurs over the network through standard WordPress AJAX requests. The attacker submits a crafted listing request to admin-ajax.php with manipulated path parameters, causing the plugin to move a target file to an attacker-controlled location. No user interaction is required, and the attack scales against any internet-exposed WordPress site running a vulnerable Directorist version.

Technical details are documented in the WordPress plugin source viewer, the plugin changeset, and the Wordfence vulnerability report.

Detection Methods for CVE-2025-10488

Indicators of Compromise

  • Unexpected POST requests to admin-ajax.php with the action=add_listing_action parameter from low-privilege accounts.
  • Path traversal sequences such as ../ or absolute filesystem paths inside listing submission parameters.
  • wp-config.php or other core files appearing in unexpected locations under wp-content/uploads/ or other web-accessible directories.
  • Newly created or relocated PHP files in upload paths that were not present before the request.

Detection Strategies

  • Inspect web server access logs for AJAX requests invoking add_listing_action with suspicious file path values.
  • Run filesystem integrity checks on WordPress core files, particularly wp-config.php, to detect movement or duplication.
  • Correlate WordPress audit logs with web server logs to identify low-privilege users triggering listing submissions outside normal patterns.

Monitoring Recommendations

  • Alert on any file write or rename activity targeting wp-config.php and other WordPress configuration files.
  • Monitor for new PHP files written under wp-content/uploads/ and other directories that should not contain executable code.
  • Track outbound database connections originating from non-application processes that may indicate stolen credential reuse.

How to Mitigate CVE-2025-10488

Immediate Actions Required

  • Update the Directorist plugin to a version later than 8.4.8 as soon as the vendor patch is available.
  • Audit the WordPress filesystem for moved or duplicated copies of wp-config.php and rotate database credentials, AUTH_KEY, and salts if any tampering is found.
  • Restrict registration and listing submission to trusted users until patching is complete.

Patch Information

The vendor addressed the issue in a commit referenced by the Directorist plugin changeset 3377181. Site administrators should upgrade to the fixed release published on the WordPress plugin repository and verify the installed version no longer reports as 8.4.8 or earlier.

Workarounds

  • Deactivate the Directorist plugin until an upgrade can be applied.
  • Deploy a web application firewall rule that blocks admin-ajax.php requests where the add_listing_action parameters contain ../, absolute paths, or references to wp-config.php.
  • Enforce filesystem permissions that prevent the PHP process from writing to directories outside wp-content/uploads/.
  • Disable open user registration to reduce the pool of accounts that can reach the vulnerable AJAX action.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.