Vulnerability Description
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/directorist/tags/8.4.5/includes/class
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2249ef72-9955-4636-b32
FAQ
What is CVE-2025-10488?
CVE-2025-10488 is a vulnerability with a CVSS score of 8.1 (HIGH). The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing...
How severe is CVE-2025-10488?
CVE-2025-10488 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-10488?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.