CVE-2025-10488 is a path traversal vulnerability classified under CWE-22 found in the Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress, developed by wpwax. The flaw exists in the add_listing_action AJAX action, where insufficient validation of file paths allows an attacker to move arbitrary files on the server. This vulnerability affects all plugin versions up to and including 8.4.8. Because the plugin does not properly restrict or sanitize the file paths, an unauthenticated attacker can craft requests to move sensitive files such as wp-config.php, which contains database credentials and other critical configuration data. Moving such files can enable remote code execution (RCE) by allowing an attacker to replace or relocate files to locations where they can be executed by the server. The vulnerability requires no user interaction and has a low attack complexity, but it does require some level of privileges (PR:L), which in WordPress context may mean a subscriber or contributor role, or possibly no authentication depending on the plugin's AJAX endpoint exposure. The CVSS v3.1 score is 8.1, indicating high severity with network attack vector, low complexity, and high impact on integrity and availability. No public exploits have been reported yet, but the potential for exploitation is significant given the widespread use of WordPress and the plugin’s functionality. The lack of a patch link suggests that a fix may not yet be publicly available, increasing urgency for mitigation.

For European organizations, especially those running WordPress sites with the Directorist plugin, this vulnerability poses a serious risk. Successful exploitation can lead to unauthorized file manipulation, enabling attackers to execute arbitrary code remotely, potentially leading to full server compromise. This threatens confidentiality, integrity, and availability of web services and stored data. Organizations relying on this plugin for business directories or classified ads may face service outages, data breaches, or defacement. The impact is particularly critical for SMEs and enterprises that use WordPress as a core platform for customer engagement or internal operations. Additionally, compromised sites can be leveraged for further attacks such as phishing or malware distribution, amplifying the threat landscape. Given the plugin’s AI-powered features, attackers might also manipulate listings or data, impacting business reputation and trust.

Immediate mitigation steps include restricting file system permissions to limit the plugin’s ability to move or modify critical files such as wp-config.php. Administrators should monitor and restrict access to the add_listing_action AJAX endpoint, possibly by implementing Web Application Firewall (WAF) rules that detect and block suspicious path traversal patterns. Until an official patch is released, disabling or removing the Directorist plugin from production environments is advisable if feasible. Regularly audit WordPress user roles and permissions to ensure minimal privileges are granted. Employ intrusion detection systems to monitor for anomalous file movements or unexpected changes in critical directories. Backup all WordPress sites and databases frequently to enable rapid recovery. Once a patch is available, apply it promptly. Additionally, consider isolating WordPress instances in containerized or sandboxed environments to reduce blast radius.