CVE Alert: CVE-2025-10488 – wpwax – Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings

**Risk verdict** High risk: enables remote code execution by a low-privilege, authenticated user (Subscriber level) through a path traversal flaw.

**Why this matters** The vulnerability permits moving arbitrary files on the server, which can directly lead to remote code execution if a critical file (eg, wp-config.php) is targetable. Compromise could give attackers full control over the site, exfiltrate data, or deface content, with potential impact on availability and trust.

**Most likely attack path** An authenticated but low-privilege user triggers the add_listing_action AJAX endpoint. Inadequate file path validation allows path traversal to relocate sensitive files. If the attacker places or overwrites a PHP payload in a location executed by the web server, RCE follows. Lateral movement is more likely within the plugin’s scope and may be constrained by file-permissions, but a successful move can yield persistence or broader site takeover.

**Who is most exposed** WordPress sites using the affected plugin, especially on shared hosting or multisite deployments with exposed admin interfaces and enabled file operations via AJAX. Sites with weak access controls or stale credentials are disproportionately at risk.

Detection ideas

• Look for anomalous calls to admin-ajax.php with action=add_listing_action from authenticated sessions.
• Monitor for unexpected file moves or creations in web-root or PHP execution paths (including wp-config.php).
• Correlate spikes in file-write events with authenticated activity from low-privilege accounts.
• Check for suspicious modification timestamps on core configuration or plugin files.
• Alert on failed or unusual attempts to move critical system files.

Mitigation and prioritisation

• Apply the patched version (or vendor-recommended update) to close the path traversal; verify update applies cleanly in staging before production.
• If patching promptly isn’t possible, implement a WAF rule to block the specific AJAX action or restrict it to higher-privilege roles; disable the action if feasible.
• Enforce strict account hygiene: rotate credentials, enforce MFA for site managers, and audit for compromised subscriber accounts.
• Implement file integrity monitoring and restrict write access to sensitive files (e.g., wp-config.php, core PHP files).
• Change-management: test in a staging environment, then deploy during a maintenance window with backups. If KEV data or EPSS ≥ 0.5 becomes available, adjust priority accordingly.