A high-severity vulnerability has been identified in the WordPress "Directorist" plugin, which allows an authenticated attacker to move arbitrary files on the web server. Successful exploitation could enable an attacker to gain administrative control over the website, leading to potential data breaches, site defacement, or further system compromise.

The vulnerability exists within the add_listing_action AJAX function of the Directorist plugin. The function fails to properly validate user-supplied file paths, creating an arbitrary file move condition. An authenticated attacker, even with low-level privileges, can craft a malicious request to this AJAX action to move a sensitive file (e.g., wp-config.php) from its original location to a publicly accessible directory. This would expose database credentials and other critical configuration details, which could then be used to achieve complete site takeover or remote code execution.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could have a significant negative impact on the business. Potential consequences include a complete compromise of the affected website, leading to a breach of sensitive customer or corporate data. An attacker could deface the website, causing reputational damage, or use the compromised server to launch further attacks. The direct risks include financial loss associated with remediation, potential regulatory fines if PII is exposed, and a loss of customer trust and confidence in the organization's security posture.

Immediate Action:

• Immediately update the "Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings" plugin to the latest available version (greater than version 8) which contains a patch for this vulnerability.
• If the plugin is not critical to business operations, consider deactivating and uninstalling it to completely remove the attack surface.
• After patching, review the integrity of core WordPress files and the wp-config.php file for any unauthorized modifications.

Proactive Monitoring:

• Monitor web server access logs for suspicious POST requests to /wp-admin/admin-ajax.php with the action parameter set to add_listing_action. Scrutinize these requests for any path traversal sequences (../) or unusual file paths.
• Implement a File Integrity Monitoring (FIM) solution to alert on any unauthorized changes to critical files and directories, particularly wp-config.php.
• Review user accounts for any recently created or suspicious-looking low-privileged users, as these could be used as a foothold for exploitation.

Compensating Controls:

• Implement a Web Application Firewall (WAF) with rules designed to block path traversal attacks and malicious file manipulation attempts targeting the vulnerable AJAX action.
• Enforce the principle of least privilege by ensuring the web server process runs under a user account with strict, minimal permissions, preventing it from writing to or modifying files outside of necessary directories like the uploads folder.
• If patching is not immediately possible, temporarily disable the plugin until the update can be safely applied.

Public Exploit Available: false

Due to the high severity (CVSS 8.1) of this vulnerability, immediate action is strongly recommended. Organizations utilizing the affected Directorist plugin should prioritize applying the vendor-supplied patch without delay. Although CVE-2025-10488 is not currently listed in the CISA KEV catalog, its potential for enabling remote code execution and full site compromise makes it a critical risk. We advise a proactive approach to patching and recommend a thorough security review of the affected WordPress instances for any indicators of compromise.