CVE-2025-67596 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Strategy11 Team's Business Directory plugin, a popular WordPress plugin used to create and manage business directories. The vulnerability affects all versions up to and including 6.4.19. CSRF vulnerabilities allow attackers to induce authenticated users to perform unwanted actions on a web application without their consent, by tricking them into submitting crafted requests, typically via malicious links or web pages. This particular vulnerability does not require the attacker to have any privileges on the target system, but it does require the victim to be authenticated and to interact with the attack vector (e.g., clicking a link). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) indicates that the attack can be launched remotely over the network with low complexity, no privileges, but requires user interaction, and impacts confidentiality only. The vulnerability could allow attackers to access or leak sensitive information accessible to the authenticated user, but it does not allow modification of data or disruption of service. No known exploits have been reported in the wild, and no official patches or mitigation links have been published at the time of disclosure. The vulnerability was published on December 9, 2025, and assigned by Patchstack. Given the plugin’s widespread use in WordPress environments, this vulnerability poses a moderate risk to affected installations until mitigated.

For European organizations, the impact of CVE-2025-67596 primarily concerns confidentiality breaches where attackers may gain unauthorized access to sensitive information available to authenticated users of the Business Directory plugin. This could include business listings, contact details, or other directory data that may be confidential or sensitive. While the vulnerability does not allow data modification or service disruption, unauthorized data exposure can lead to privacy violations, reputational damage, and potential regulatory non-compliance under GDPR. Organizations relying on the Business Directory plugin for customer or partner information management are at risk of data leakage if users are tricked into executing malicious requests. The requirement for user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted phishing or social engineering risks. Since no patches are currently available, organizations must rely on interim mitigations to protect their data and users. The impact is more pronounced for SMEs and public sector entities that use this plugin extensively for directory services, as they may have less mature security controls.

To mitigate CVE-2025-67596 effectively, European organizations should implement the following specific measures: 1) Immediately audit all WordPress installations for the presence and version of the Strategy11 Business Directory plugin and identify affected instances. 2) Until an official patch is released, apply web application firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the plugin endpoints. 3) Educate users and administrators about the risks of phishing and social engineering attacks that could trigger CSRF exploits, emphasizing caution with unsolicited links. 4) Implement or verify the presence of anti-CSRF tokens in all forms and state-changing requests within the plugin’s scope, either via plugin updates or custom code if feasible. 5) Restrict user permissions to the minimum necessary to reduce the impact of any successful CSRF attack. 6) Monitor logs for unusual or unauthorized requests that could indicate exploitation attempts. 7) Subscribe to vendor and security advisories for timely patch releases and apply updates promptly. 8) Consider isolating or temporarily disabling the plugin if it is not critical to operations until a patch is available. These targeted actions go beyond generic advice by focusing on plugin-specific controls and user awareness tailored to the vulnerability’s characteristics.