The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress suffers from a missing authorization vulnerability identified as CVE-2025-12174. Specifically, the plugin fails to perform capability checks on two AJAX actions: 'directorist_prepare_listings_export_file' and 'directorist_type_slug_change'. These actions are intended to be restricted to authorized users but are accessible to any authenticated user with Subscriber-level privileges or higher. This allows such users to export sensitive listing details and alter the directory slug, which could disrupt the integrity and availability of the directory data. The vulnerability affects all versions up to and including 8.5.2. The CVSS 3.1 base score is 6.5, indicating a medium severity with network attack vector, low attack complexity, no privileges required (beyond authentication), no user interaction, and impacts on confidentiality and integrity but not availability. No patches or known exploits are currently available, but the flaw represents a significant risk for websites relying on Directorist for business listings, as unauthorized data export and modification could lead to data breaches or reputational damage. The vulnerability was publicly disclosed on November 19, 2025, and assigned by Wordfence. The CWE classification is CWE-862, which relates to missing authorization checks.

For European organizations, this vulnerability could lead to unauthorized disclosure of business directory listings, potentially exposing sensitive company information or client data. The ability to change the directory slug could also disrupt business operations by affecting URL structures and accessibility of listings, harming user trust and SEO rankings. Organizations relying on Directorist for classified ads or business listings might face data integrity issues and reputational damage if attackers exploit this flaw. Given the medium severity and ease of exploitation by low-privilege authenticated users, attackers could leverage compromised or low-level user accounts to escalate their impact. This is particularly concerning for sectors with sensitive business data such as finance, legal, and healthcare directories. Additionally, the lack of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

European organizations should immediately verify if they use the Directorist plugin and identify the version in use. Since no official patches are currently available, temporary mitigations include restricting user roles that can authenticate on the WordPress site, especially limiting Subscriber-level access to trusted users only. Administrators should audit user accounts for suspicious activity and remove or restrict unnecessary accounts. Implementing Web Application Firewall (WAF) rules to monitor and block unauthorized AJAX requests targeting 'directorist_prepare_listings_export_file' and 'directorist_type_slug_change' endpoints can reduce exploitation risk. Monitoring logs for unusual export or slug change activities is recommended. Organizations should subscribe to vendor updates and apply official patches promptly once released. Additionally, consider isolating the WordPress environment and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of account compromise.