CVE-2025-10488 in Directorist Plugin
Summary
by MITRE • 10/25/2025
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/25/2025
The vulnerability identified as CVE-2025-10488 affects the Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings WordPress plugin, presenting a critical security risk that stems from inadequate input validation within the add_listing_action AJAX endpoint. This flaw exists in all plugin versions up to and including 8.4.8, making it a widespread concern for WordPress installations utilizing this specific directory plugin. The vulnerability lies in the plugin's failure to properly sanitize and validate file paths during the file moving operation, creating an avenue for malicious actors to manipulate the system's file operations.
The technical implementation of this vulnerability allows unauthenticated attackers to exploit the add_listing_action AJAX action by manipulating file path parameters that are processed without adequate validation. When an attacker submits a request containing malicious file path data, the plugin processes these inputs directly without proper sanitization, enabling the execution of arbitrary file move operations. This weakness directly maps to CWE-73, which describes improper neutralization of special elements in file paths, and represents a classic example of path traversal vulnerabilities that can be exploited for privilege escalation and system compromise.
The operational impact of this vulnerability extends far beyond simple file manipulation, as it creates a potential pathway to complete system compromise through remote code execution. While the vulnerability itself allows for arbitrary file movement, the real danger emerges when attackers target critical system files such as wp-config.php, which contains database credentials and other sensitive configuration data. The ability to move such files provides attackers with the means to either completely disable the WordPress installation or to gain deeper access to the underlying server infrastructure. This vulnerability can be leveraged to establish persistent access, exfiltrate sensitive data, or deploy malicious payloads that could compromise the entire hosting environment.
Organizations and WordPress administrators should immediately implement mitigations that include updating to the latest plugin version where this vulnerability has been addressed, as well as implementing additional security measures such as restricting access to AJAX endpoints and monitoring for unusual file operations. The ATT&CK framework categorizes this vulnerability under T1059.007 for command and scripting interpreter, as the ability to move critical files like wp-config.php could enable attackers to execute system commands or deploy malicious code. Additionally, implementing proper input validation and output encoding practices, as recommended by OWASP, would prevent similar vulnerabilities from occurring in other components of the WordPress ecosystem. The vulnerability demonstrates the critical importance of validating all user inputs and implementing proper access controls, particularly for AJAX endpoints that handle file operations.