Arbitrary File Move Vulnerability in Directorist: AI-Powered Business Directory Plugin for WordPress
CVE-2025-10488

8.1HIGH

Key Information:

Vendor: WordPress
Status: Directorist: Ai-powered Business Directory Plugin With Classified Ads Listings
Vendor: CVE Published:; 25 October 2025

What is CVE-2025-10488?

The Directorist: AI-Powered Business Directory Plugin for WordPress is exposed to a vulnerability that allows unauthenticated attackers to exploit insufficient file path validation in the add_listing_action AJAX action. This loophole is present in all versions up to and including 8.4.8. As a result, attackers can relocate arbitrary files within the server, potentially leading to severe consequences such as remote code execution if sensitive files like wp-config.php are manipulated.

Affected Version(s)

Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings * <= 8.4.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/directorist/ta...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2025
Vulnerability Reserved
Sep 15, 2025

Credit

Arkadiusz Hydzik

JSON