CVE-2025-10488
Published: 25 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-10488 is an arbitrary file move vulnerability in the Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress, caused by insufficient file path validation in the add_listing_action AJAX action. It affects all versions up to and including 8.4.8. The issue, published on 2025-10-25, carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Unauthenticated attackers can exploit the vulnerability to move arbitrary files on the server. By targeting critical files such as wp-config.php, this can readily result in remote code execution.
References include WordPress plugin trac browser source code at line 634 in class-add-listing.php for version 8.4.5, a related changeset, and a Wordfence threat intelligence advisory, which collectively point to patching via code changes in later versions.
Details
- CWE(s)
AI Security Analysis
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- The vulnerability affects the Directorist WordPress plugin, branded as 'AI-Powered Business Directory,' indicating AI-related functionality, but the issue is a general web vulnerability (arbitrary file move) not specific to AI components. Fits 'Other Platforms' as it is an AI-enhanced plugin/platform.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in the WordPress plugin enables unauthenticated exploitation of a public-facing application through arbitrary file moves in an AJAX endpoint, facilitating remote code execution.