CVE-2025-64250 identifies an open redirect vulnerability within the wpWax Directorist plugin, a WordPress directory listing tool widely used to manage business and service listings. The vulnerability exists in versions up to and including 8.5.6, where the plugin fails to properly validate URL parameters used for redirection. This flaw enables attackers to craft malicious URLs that appear legitimate but redirect users to untrusted, potentially malicious external websites. Such open redirects are commonly exploited in phishing campaigns to deceive users into divulging sensitive information or downloading malware. The vulnerability does not require authentication, meaning any user who clicks a crafted link can be affected. Although no public exploits have been reported yet, the presence of this vulnerability in a popular plugin increases the risk of future exploitation. The lack of a CVSS score indicates that the vulnerability is newly disclosed, and no official severity rating has been assigned. The open redirect can compromise user trust, lead to credential theft, and facilitate further attacks by redirecting users to malicious domains. The vulnerability was reserved in late October 2025 and published in mid-December 2025, suggesting recent discovery and disclosure. No official patches or mitigation links are currently provided, emphasizing the need for immediate attention from administrators using Directorist.

For European organizations using the wpWax Directorist plugin, this vulnerability can lead to significant security and reputational risks. Attackers can exploit the open redirect to conduct phishing attacks targeting employees, customers, or partners by redirecting them to malicious sites that harvest credentials or distribute malware. This can result in data breaches, unauthorized access, and financial losses. The impact on confidentiality is high due to potential credential theft, while integrity and availability impacts are indirect but possible if subsequent attacks leverage stolen credentials. Organizations relying on Directorist for public-facing directories may suffer brand damage and loss of user trust. The ease of exploitation without authentication and the widespread use of WordPress in Europe amplify the threat. Additionally, phishing campaigns exploiting this vulnerability could target sectors with high directory usage such as retail, hospitality, and professional services. The absence of known exploits currently provides a window for proactive mitigation, but the risk remains substantial given the commonality of open redirect attacks in phishing.

Administrators should monitor wpWax and Directorist official channels for patches addressing CVE-2025-64250 and apply updates promptly once available. In the interim, implement strict URL validation and sanitization on all user-supplied input parameters related to redirection within the plugin or via web application firewalls (WAFs) that can detect and block suspicious redirect attempts. Employ Content Security Policy (CSP) headers to restrict navigation to trusted domains. Educate users and employees about the risks of clicking on unexpected or suspicious links, especially those appearing to originate from the organization’s domain. Consider disabling or limiting the use of URL redirection features within Directorist if feasible. Conduct regular security assessments and penetration tests focusing on URL handling in web applications. Monitor web traffic for unusual redirect patterns and phishing attempts. Finally, maintain robust email filtering and anti-phishing solutions to reduce the success of phishing campaigns leveraging this vulnerability.