CVE-2025-12174 MEDIUM

CVE-2025-12174: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.5.2 - Missing Authorization to Authenticated (Subscriber+) Data Export and Slug Update

Vendor Wpwax
Product Directorist: AI-Powered Business Directory, Listings & Classified Ads
Weakness CWE-862 · Missing authorization
Published November 19, 2025
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'directorist_prepare_listings_export_file' and 'directorist_type_slug_change' AJAX actions in all versions up to, and including, 8.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export listing details and change the directorist slug.

Explanation of Vulnerability in Simple Terms

02Summary

Directorist versions up to 8.5.2 lack proper authorization checks, allowing unauthenticated attackers to read and modify certain data without permission. The vulnerability requires no user interaction and is accessible over the network. An attacker can exploit this to access or alter sensitive information stored within the plugin.

What an attacker can do

03Attacker Capabilities

Read and modify data without logging in or having permission to do so.

Potential impact on your site

04Site Impact

Unauthorized users can view and change sensitive directory or listing data stored by the plugin.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 19, 2025 CVE published
April 8, 2026 Record updated