{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2224", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-11T17:29:40.677Z", "datePublished": "2025-03-25T05:22:48.169Z", "dateUpdated": "2026-04-08T16:58:26.368Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:26.368Z"}, "affected": [{"vendor": "wpwax", "product": "Directorist: AI-Powered Business Directory, Listings & Classified Ads", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'."}], "title": "Directorist <= 8.2 - Missing Authorization to Unauthenticated Arbitrary Post Publishing", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/684e6a97-b884-4d25-99f1-81c2a43f1239?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/directorist/trunk/includes/classes/class-add-listing.php#L912"}, {"url": "https://plugins.trac.wordpress.org/browser/directorist/trunk/includes/classes/class-add-listing.php#L942"}, {"url": "https://plugins.trac.wordpress.org/browser/directorist/trunk/includes/classes/class-add-listing.php#L960"}, {"url": "https://plugins.trac.wordpress.org/changeset/3260639/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-03-24T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-31T18:18:19.412775Z", "id": "CVE-2025-2224", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T18:18:28.816Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2224", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-31T18:18:19.412775Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T18:18:24.651Z"}}], "cna": {"title": "Directorist <= 8.2 - Missing Authorization to Unauthenticated Arbitrary Post Publishing", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "wpwax", "product": "Directorist: AI-Powered Business Directory, Listings & Classified Ads", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-24T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/684e6a97-b884-4d25-99f1-81c2a43f1239?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/directorist/trunk/includes/classes/class-add-listing.php#L912"}, {"url": "https://plugins.trac.wordpress.org/browser/directorist/trunk/includes/classes/class-add-listing.php#L942"}, {"url": "https://plugins.trac.wordpress.org/browser/directorist/trunk/includes/classes/class-add-listing.php#L960"}, {"url": "https://plugins.trac.wordpress.org/changeset/3260639/"}], "descriptions": [{"lang": "en", "value": "The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:26.368Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2224", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:26.368Z", "dateReserved": "2025-03-11T17:29:40.677Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-25T05:22:48.169Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'."}, {"lang": "es", "value": "El complemento Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings para WordPress es vulnerable al acceso y la modificaci\u00f3n no autorizados de datos debido a la falta de una comprobaci\u00f3n de la funci\u00f3n \"parse_query\" en todas las versiones hasta la 8.2 incluida. Esto permite que atacantes no autenticados actualicen el estado de cualquier publicaci\u00f3n a \"publicar\"."}], "id": "CVE-2025-2224", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-25T06:15:41.327", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/directorist/trunk/includes/classes/class-add-listing.php#L912"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/directorist/trunk/includes/classes/class-add-listing.php#L942"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/directorist/trunk/includes/classes/class-add-listing.php#L960"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3260639/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/684e6a97-b884-4d25-99f1-81c2a43f1239?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:44:59.057208+00:00", "value": {"mitigation_remediation": ["Upgrade Directorist plugin to version 8.3 or later where the capability check is implemented.", "If upgrading is not immediately feasible, restrict the ability to change post status to trusted roles or remove the faulty capability check if possible.", "Implement monitoring to detect sudden changes in post status or unexpected published content and alert administrators."], "summary": {"action": "Apply Patch", "impact": "Unauthorized post publishing"}, "threat_synthesis": {"affected_systems": "Affected products are wpwax Directorist: AI\u2011Powered Business Directory Plugin, Listings & Classified Ads for WordPress versions up to and including 8.2. All earlier versions carry the same issue as the capability check is absent for all of them; any Post type served by this plugin can be altered by an attacker.", "description_and_impact": "The vulnerability exists in the Directorist plugin for WordPress, where a missing capability check on the parse_query function allows any user, even unauthenticated, to change a post's status to publish. This flaw permits attackers to publish arbitrary content, potentially leading to defacement, phishing, or spam posts. The weakness corresponds to missing elevation of privilege, CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% points to low likelihood of current exploitation. However, because the flaw does not require authentication and affects content integrity, attackers can abuse it to post unwanted material. The vulnerability is not listed in CISA KEV, but its potential impact warrants immediate remediation."}}}}, "created": "2026-04-21T21:45:25.851001+00:00", "updated": "2026-04-21T21:45:25.851016+00:00", "vendors": []}