CVE-2025-64219 identifies a missing authorization vulnerability in the Strategy11 Team's Business Directory WordPress plugin, affecting versions up to 6.4.18. The vulnerability stems from incorrectly configured access control security levels, which allow users with limited privileges (PR:L) to perform actions beyond their authorization scope. Specifically, the plugin fails to properly enforce authorization checks on certain functions or endpoints, enabling privilege escalation or unauthorized modifications to business directory data. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) indicates that the attack can be executed remotely over the network with low attack complexity, requires some privileges but no user interaction, and impacts integrity without affecting confidentiality or availability. Although no exploits are currently known in the wild, the vulnerability presents a risk of unauthorized data manipulation, potentially undermining the trustworthiness of business listings or related information. The plugin is commonly used in WordPress environments to manage business directories, making it a relevant target for attackers seeking to alter data or disrupt services. The lack of vendor patches at the time of publication necessitates immediate attention to access control configurations and monitoring for suspicious activities.

For European organizations, the impact primarily concerns the integrity of business directory data managed via the Strategy11 Business Directory plugin. Unauthorized modifications could lead to misinformation, reputational damage, or operational disruptions if business listings are altered maliciously. While confidentiality and availability are not directly affected, the integrity compromise could indirectly affect business decisions or customer trust. Organizations relying on this plugin for public-facing directories or internal business listings are at risk, especially if attackers escalate privileges to manipulate data. The medium severity rating suggests a moderate risk level, but the ease of remote exploitation and lack of user interaction increase the urgency for mitigation. Additionally, sectors with high reliance on accurate business data, such as retail, services, and local government directories, could face more pronounced consequences.

1. Immediately audit and review access control configurations within the Business Directory plugin to ensure that only authorized roles have permissions to modify directory data. 2. Restrict plugin administrative and editing capabilities strictly to trusted users with appropriate roles. 3. Monitor logs for unusual modification activities or privilege escalations related to the plugin. 4. Apply any vendor-released patches or updates addressing this vulnerability as soon as they become available. 5. If patches are delayed, consider temporarily disabling the plugin or limiting its functionality to reduce exposure. 6. Implement web application firewalls (WAF) with rules to detect and block suspicious requests targeting the plugin endpoints. 7. Educate administrators on the risks of privilege misuse and enforce strong role-based access controls within WordPress environments. 8. Regularly back up business directory data to enable recovery in case of unauthorized changes.