CVE-2025-12174 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress. The issue arises from the absence of proper capability checks on two AJAX actions: 'directorist_prepare_listings_export_file' and 'directorist_type_slug_change'. These actions allow authenticated users with minimal privileges (Subscriber-level or above) to export sensitive listing data and modify the directory slug, respectively. Since the plugin does not verify whether the user has the appropriate permissions before executing these actions, it enables unauthorized access and modification of data. The vulnerability affects all versions up to 8.5.2 inclusive. The CVSS v3.1 score is 6.5, indicating a medium severity level, with the vector showing network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and low impact on confidentiality and integrity, with no impact on availability. Although no known exploits have been reported in the wild, the flaw poses a risk to the confidentiality of business listings and the integrity of directory configurations. The vulnerability is particularly concerning for websites that rely on Directorist for managing business directories and classified ads, as unauthorized export of listings could lead to data leakage, and slug changes could disrupt site functionality or SEO. The issue was publicly disclosed on November 19, 2025, and no official patches are linked yet, suggesting organizations must monitor vendor updates closely.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive business directory data, potentially exposing client or partner information. The ability to change the directory slug could also disrupt web presence, affecting SEO and user access to listings, which can harm business reputation and operational continuity. Organizations relying on Directorist for classified ads or business listings may face data confidentiality breaches and integrity issues, which could lead to regulatory compliance challenges under GDPR if personal data is involved. The medium severity indicates moderate risk, but the ease of exploitation by low-privileged authenticated users increases the threat surface, especially in environments where subscriber accounts are common or easily obtained. This vulnerability could be leveraged in targeted attacks against small and medium enterprises or local business directories prevalent in Europe, potentially facilitating further lateral movement or information gathering by attackers.

Immediate mitigation steps include restricting Subscriber-level accounts from accessing the affected AJAX endpoints by implementing custom capability checks or disabling these AJAX actions via WordPress hooks if patching is not yet available. Organizations should monitor user activity logs for unusual export actions or slug changes and enforce strong authentication and account management policies to limit the creation and use of low-privileged accounts. Applying the vendor’s patch promptly once released is critical. Additionally, web application firewalls (WAFs) can be configured to detect and block suspicious AJAX requests targeting these endpoints. Regular security audits of WordPress plugins and minimizing plugin usage to only trusted and necessary components will reduce exposure. Backup and recovery plans should be updated to quickly restore any unauthorized changes to directory slugs or data exports.