Introduction
Moving a single file can result in a complete compromise of a WordPress site running the Directorist plugin. CVE-2025-10488, reported in October 2025, highlights how insufficient path validation in a widely used business directory plugin exposes thousands of sites to remote code execution. Directorist, developed by wpwax, is an AI-powered business directory and classified ads plugin for WordPress with over 10,000 active installations and more than 676,000 downloads. Its popularity in the directory and listing space makes vulnerabilities in its codebase especially impactful for a broad range of organizations.
Technical Information
CVE-2025-10488 is a high-severity arbitrary file move vulnerability affecting the Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress, specifically all versions up to and including 8.4.8. The vulnerability is rooted in the add_listing_action AJAX action, which processes user input related to listing management. The core issue is insufficient validation and sanitization of file path parameters supplied by users. The vulnerable code allows attackers to include path traversal sequences such as ../ in the file path, enabling them to move files to locations outside the intended directory. This is a textbook example of CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
The attack can be executed by sending a crafted HTTP POST request to the WordPress admin-ajax.php endpoint, specifying the add_listing_action action and including malicious path parameters. Since the vulnerability does not require authentication, any remote attacker can exploit it. The most severe impact occurs when critical files like wp-config.php are moved, which can force the site into setup mode or allow attackers to take control of the installation. The root cause is the lack of canonicalization and restriction checks on the input paths before performing file move operations.
Public code references confirm the flaw. For example, in version 8.4.5, the vulnerable function is located in class-add-listing.php at line 634:
// Reference only. Do not use this code in production. move_uploaded_file( $_FILES['file']['tmp_name'], $target_path );
In this context, $target_path can be manipulated by user input, and there is no adequate sanitization to prevent traversal outside the intended directory.
Affected Systems and Versions
The vulnerability affects the following product and versions:
- Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress
- All versions up to and including 8.4.8
Sites running version 8.4.9 or later are not affected, as the vulnerability is patched in that release.
Vendor Security History
Directorist, maintained by wpwax, has a documented history of security issues. Public vulnerability databases and advisories list at least 17 vulnerabilities in the plugin since 2021, including issues related to missing authorization, arbitrary file upload, file deletion, and information disclosure. Multiple vulnerabilities have been related to improper input validation and authorization checks, indicating recurring challenges in secure coding practices. The vendor has generally responded with patches, but the frequency and similarity of issues suggest a need for more comprehensive security reviews and process improvements.
