Directorist < 8.6.7 – Unauthenticated Open Redirect | CVE 2025-64250 | Plugin Vulnerabilities

Description

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 8.6.6. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

Affects Plugins

Fixed in 8.6.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c17b03b4-d503-4bee-a1cd-4d66d27f6f9e

Classification

Type

REDIRECT

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

8b1d9a34-bb6e-45b6-8775-ba86b4c8e611

Timeline

Publicly Published

2025-12-15 (about 5 months ago)

Added

2025-12-19 (about 5 months ago)

Last Updated

2026-04-14 (about 1 month ago)

Other

Published

Title

Published

2026-05-27

Title

Meta for WooCommerce < 3.7.1 - Unauthenticated Open Redirect

Published

2023-04-27

Title

WP Directory Kit < 1.2.0 - Open Redirect

Published

2024-12-05

Title

Login Widget With Shortcode <= 6.1.2 - Open Redirect

Published

2025-08-14

Title

elink <= 1.1.0 - Contributor+ Arbitrary Redirect

Published

2024-08-09

Title

Easy PayPal Buy Now Button < 1.9.1 - Unauthenticated Open Redirect