CVE-2025-10488 is a path traversal vulnerability classified under CWE-22 found in the Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress. This vulnerability exists due to improper validation of file paths in the add_listing_action AJAX action, allowing attackers to move arbitrary files on the server. The flaw affects all plugin versions up to and including 8.4.8. An unauthenticated attacker can exploit this by sending crafted requests to the vulnerable AJAX endpoint, bypassing normal access controls and manipulating file paths to relocate sensitive files such as wp-config.php. Moving such files can enable remote code execution, compromising the server's integrity and availability. The CVSS 3.1 base score is 8.1, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), but high integrity (I:H) and availability (A:H) impacts. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The vulnerability is particularly dangerous because WordPress sites often run with elevated privileges and host critical business data. The plugin’s widespread use in business directories increases the attack surface, especially for small and medium enterprises relying on this plugin for classified ads and listings.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of WordPress-based business directory websites. Exploitation could lead to unauthorized file manipulation, enabling attackers to execute arbitrary code remotely, potentially resulting in full server compromise. This can disrupt business operations, lead to data breaches, and damage reputation. Since many European SMEs use WordPress plugins like Directorist to manage business listings and classified ads, the attack surface is substantial. The ability to move critical configuration files like wp-config.php can expose database credentials, further escalating the compromise. Additionally, the attack requires no user interaction and can be launched remotely, increasing the likelihood of exploitation. The absence of known exploits in the wild currently provides a window for mitigation, but the high severity score underscores the urgency. Organizations in Europe with limited cybersecurity resources may be particularly vulnerable to automated or opportunistic attacks leveraging this flaw.

1. Immediately monitor for updates from wpwax and apply official patches once released to fix the path traversal vulnerability. 2. Until patches are available, restrict file system permissions for the WordPress installation to limit the ability of the web server user to move or modify critical files such as wp-config.php. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting the add_listing_action endpoint, especially those containing path traversal patterns (e.g., ../ sequences). 4. Conduct regular security audits and file integrity monitoring to detect unauthorized file movements or modifications. 5. Disable or restrict the Directorist plugin on sites where it is not essential, reducing the attack surface. 6. Employ principle of least privilege for WordPress user roles and server processes to minimize potential damage from exploitation. 7. Educate site administrators on the risks and signs of exploitation to enable rapid incident response. 8. Consider isolating critical WordPress instances in segmented network zones to limit lateral movement in case of compromise.