CVE-2025-60120 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the WP Directory Kit plugin for WordPress, versions up to and including 1.3.8. This vulnerability arises from improperly configured access control mechanisms within the plugin, allowing unauthorized users to access functionality or data that should be restricted. Specifically, the flaw permits exploitation of incorrectly configured security levels, meaning that certain operations or data exposures can be performed or viewed without proper authorization checks. The CVSS v3.1 base score is 5.3, indicating a medium severity level. The vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) shows that the vulnerability is remotely exploitable over the network without any privileges or user interaction, but it only impacts confidentiality (limited data disclosure), with no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects WP Directory Kit, a WordPress plugin used to create and manage directory listings on websites, which may contain sensitive or private information depending on the deployment. The missing authorization can lead to unauthorized data access, potentially exposing user or business information stored within the directory listings. Since WordPress is widely used across Europe, and directory plugins are common for business and community sites, this vulnerability could be leveraged by attackers to gather sensitive information without authentication.

For European organizations, the impact of CVE-2025-60120 depends largely on the nature of the data managed by WP Directory Kit on their websites. Organizations using this plugin to manage member directories, business listings, or internal contact information could face unauthorized data disclosure, leading to privacy violations and potential regulatory non-compliance under GDPR. Although the vulnerability does not allow data modification or service disruption, unauthorized access to confidential information can damage reputation and trust. Attackers could use the exposed data for targeted phishing, social engineering, or further attacks. Given the remote and unauthenticated nature of the exploit, any public-facing WordPress site using the vulnerable plugin is at risk. This is particularly critical for sectors handling sensitive personal or business data, such as healthcare providers, educational institutions, and professional associations prevalent in Europe. The lack of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and public availability of the vulnerability information could lead to rapid weaponization.

European organizations should immediately audit their WordPress installations to identify the presence of WP Directory Kit plugin versions up to 1.3.8. Until an official patch is released, administrators should consider disabling or removing the plugin if it is not essential. If the plugin is critical, restrict access to the directory pages via web application firewalls (WAFs) or IP whitelisting to limit exposure. Implement strict access controls at the web server or application level to prevent unauthorized access. Monitor web server logs for unusual access patterns targeting directory endpoints. Organizations should subscribe to vendor updates and CVE databases to apply patches promptly once available. Additionally, conducting a thorough review of the data exposed through the directory and minimizing sensitive information displayed publicly can reduce risk. Employing security plugins that enforce authorization checks or custom code to add missing authorization may be necessary as an interim measure.