{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68069", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:24.070Z", "datePublished": "2026-02-20T15:46:38.064Z", "dateUpdated": "2026-04-28T16:14:28.215Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "directorist", "product": "Directorist", "vendor": "wpWax", "versions": [{"changes": [{"at": "8.6.7", "status": "unaffected"}], "lessThanOrEqual": "8.6.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:22.431Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Directorist: from n/a through <= 8.6.6.</p>"}], "value": "Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.6.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:28.215Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-8-5-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Directorist plugin <= 8.6.6 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:46:26.269337Z", "id": "CVE-2025-68069", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:32:23.720Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68069", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T21:46:26.269337Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:46:53.887Z"}}], "cna": {"title": "WordPress Directorist plugin <= 8.6.6 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "wpWax", "product": "Directorist", "versions": [{"status": "affected", "changes": [{"at": "8.6.7", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "8.6.6"}], "packageName": "directorist", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:22.431Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-8-5-6-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.6.6.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Directorist: from n/a through <= 8.6.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:56.213Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68069", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:32:23.720Z", "dateReserved": "2025-12-15T10:01:24.070Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:38.064Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.6.6."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en wpWax Directorist directorist permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Directorist: desde n/a hasta &lt;= 8.5.10."}], "id": "CVE-2025-68069", "lastModified": "2026-04-27T19:16:24.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:09.380", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-8-5-6-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.5.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Directorist", "source": "cna", "vendor": "wpWax"}, "product": "directorist", "vendor": "wpwax"}], "analysis": {"en": {"generated_at": "2026-04-27T20:40:41.982062+00:00", "value": {"mitigation_remediation": ["Update the Directorist plugin to version 8.6.7 or later, which contains the vendor-supplied fix for the authorization issue.", "If an immediate update is not possible, remove or restrict any administrative or privileged roles from users who can access the Directorist plugin\u2019s protected endpoints until the patch is applied.", "Ensure that all role and capability checks for the plugin\u2019s features are enforced by reviewing the plugin\u2019s core code or by implementing a plugin or theme that validates role permissions before rendering sensitive content."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The issue affects the wpWax Directorist plugin for WordPress, with vulnerable versions ranging from the earliest releases through version 8.6.6. Any WordPress site that has the Directorist plugin installed on a version at or below 8.6.6 is potentially impacted.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows a user to bypass properly configured access control security levels within the WordPress Directorist plugin. Because of this, an attacker who can reach the affected plugin can gain unauthorized access to restricted data or modify content that should be protected. The weakness is identified as CWE-862, which represents missing authorization, and the CVSS score of 7.1 indicates a high severity impact on confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 7.1 signals a significant risk, yet the EPSS score of less than 1% indicates that the probability of exploitation observed in the wild is very low at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely exploited yet. Based on the description, the likely attack vector is a web-based access to the plugin\u2019s administrative or restricted areas, requiring the attacker to have network access to the WordPress installation and the ability to submit crafted requests that exploit the missing authorization checks."}}}}, "created": "2026-02-23T14:45:32.952908+00:00", "updated": "2026-04-27T20:45:12.711709+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpwax", "wpwax$PRODUCT$directorist"]}