CVE-2025-10488 is a path traversal vulnerability classified under CWE-22 found in the Directorist plugin by wpwax, a WordPress plugin designed for business directory and classified ads listings. The vulnerability arises due to insufficient validation of file paths in the add_listing_action AJAX handler, which processes file move operations. This flaw allows an unauthenticated attacker to specify arbitrary file paths, enabling them to move files anywhere on the server filesystem. Such arbitrary file move capability can be leveraged to overwrite or relocate critical files, including configuration files like wp-config.php, which contain sensitive database credentials and security keys. By manipulating these files, attackers can achieve remote code execution, compromising the entire WordPress installation and potentially the underlying server. The CVSS 3.1 score of 8.1 reflects the high impact on integrity and availability, with network attack vector, low attack complexity, and no user interaction required. Although no public exploits are currently known, the vulnerability's nature and ease of exploitation make it a critical concern for all sites running affected versions of the plugin. The vulnerability affects all versions up to 8.4.8, and no official patches or updates are linked yet, indicating the need for immediate attention from site administrators.

The exploitation of this vulnerability can have severe consequences for organizations worldwide. Attackers can gain the ability to move arbitrary files on the server, which can lead to remote code execution, full site compromise, data theft, defacement, or use of the server as a pivot point for further attacks. The integrity of the website and its data is at high risk, as attackers can modify or replace critical files. Availability can also be impacted if attackers disrupt or delete essential files. Confidentiality is indirectly affected since wp-config.php exposure can reveal database credentials. This vulnerability threatens any organization using the Directorist plugin, especially those relying on WordPress for business-critical operations, e-commerce, or customer data management. The risk extends to hosting providers and managed WordPress services that may have multiple clients using the vulnerable plugin. The lack of authentication requirement for exploitation increases the threat surface, making automated mass scanning and exploitation feasible.

1. Immediate mitigation involves disabling or removing the Directorist plugin until a secure patch is released. 2. Monitor official wpwax channels and WordPress plugin repositories for updates or patches addressing CVE-2025-10488. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the add_listing_action AJAX endpoint, especially those containing path traversal patterns (e.g., ../ sequences). 4. Restrict file system permissions on the WordPress installation to limit the plugin's ability to move or modify critical files like wp-config.php. 5. Conduct regular backups of the WordPress site and database to enable recovery in case of compromise. 6. Employ intrusion detection systems to monitor for unusual file movements or modifications. 7. Review server logs for any signs of exploitation attempts targeting this vulnerability. 8. Educate site administrators about the risks and encourage prompt patching once available. 9. Consider isolating WordPress instances or running them with least privilege to reduce impact scope. 10. If patching is delayed, consider temporarily disabling AJAX actions related to add_listing_action via custom code or plugin filters.