Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings < 8.4.9 – Authenticated (Subscriber+) Arbitrary File Move | CVE 2025-10488 | Plugin Vulnerabilities

Description

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).

Affects Plugins

Fixed in 8.4.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2249ef72-9955-4636-b32f-e88720923268

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

1cbbd494-3b16-48c0-babf-1e2eb46ce6ed

Timeline

Publicly Published

2025-10-24 (about 7 months ago)

Added

2025-10-24 (about 7 months ago)

Last Updated

2025-10-25 (about 7 months ago)

Other

Published

Title

Published

2026-03-20

Title

WooCommerce Support Ticket System < 18.5 - Unauthenticated Arbitrary File Deletion

Published

2024-12-03

Title

Classic Addons – WPBakery Page Builder < 3.1 - Authenticated (Contributor+) Limited Local PHP File Inclusion

Published

2025-01-23

Title

Bootstrap Ultimate <= 1.4.9 - Unauthenticated Limited Local File Inclusion

Published

2015-01-15

Title

GI-Media Library < 3.0 - Arbitrary File Download

Published

2015-03-27

Title

Aspose Cloud eBook Generator - File Download