Directorist < 8.3 – Missing Authorization to Unauthenticated Arbitrary Post Publishing | CVE 2025-2224 | Plugin Vulnerabilities

Description

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'.

Affects Plugins

Fixed in 8.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/684e6a97-b884-4d25-99f1-81c2a43f1239

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

d87efeab-356b-4eee-a0cb-d334974df76b

Timeline

Publicly Published

2025-03-24 (about 1 year ago)

Added

2025-03-24 (about 1 year ago)

Last Updated

2025-03-25 (about 1 year ago)

Other

Published

Title

Published

2024-12-11

Title

Notibar < 2.1.5 - Missing Authorization via ajax_install_plugin

Published

2025-01-03

Title

Allada T-shirt Designer for Woocommerce <= 1.1 - Missing Authorization

Published

2022-11-28

Title

Directorist < 7.4.4 - Subscriber+ Sensitive Information Disclosure

Published

2026-01-05

Title

Quiz And Survey Master < 10.3.2 - Subscriber+ Quiz Results Deletion

Published

2025-12-15

Title

JetFormBuilder < 3.5.4 - Missing Authorization to Unauthenticated Form Generation