WordPress Plugin Vulnerabilities

Business Directory < 6.4.19 - Missing Authorization

Description

The Business Directory plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the dispatch() function in versions up to, and including, 6.4.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to edit listings.

Affects Plugins

Plugin icon
business-directory-plugin
Fixed in 6.4.19

References

CVE
CVE-2025-64219
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/44c14dca-19df-4f83-80bf-6ea0ea261e28

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Tran Hoang Tuan Kiet
Verified
No
WPVDB ID
45b37059-4143-4895-9f4b-9808bb624724

Timeline

Publicly Published
2025-10-19 (about 7 months ago)
Added
2025-11-04 (about 7 months ago)
Last Updated
2025-11-04 (about 7 months ago)

Other

Published
Title
Published
2025-06-09
Title
Membership For WooCommerce < 2.8.2 - Missing Authorization
Published
2025-09-30
Title
SMS Contact Form 7 Notifications by ClickSend <= 1.4.0 - Missing Authorization
Published
2025-05-01
Title
Flynax Bridge < 2.2.1 - Unauthenticated Limited Privilege Escalation
Published
2023-10-19
Title
Just Custom Fields <= 3.3.2 - Missing Authorization on AJAX Actions
Published
2023-10-12
Title
WP ERP < 1.12.7 - Missing Authorization via admin notice dismissal