CVE-2025-64219

Vulnerability

Description A missing authorization vulnerability exists in the Strategy11 Team Business Directory plugin for WordPress (business-directory-plugin) versions through 6.4.18 [1]. This issue stems from incorrectly configured access control security levels, which can be exploited by unauthenticated attackers to perform actions that should require higher privileges [1].

Exploitation

Attackers can exploit this flaw without needing authentication, as the vulnerability arises from a broken access control (missing authorization or nonce token check) in a specific function [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress websites simultaneously [1].

Impact

Successful exploitation allows an unprivileged attacker to execute certain higher-privileged actions within the plugin, potentially leading to unauthorized modifications or data exposure [1]. The CVSS v3 score is 4.3 (Medium), but the vendor notes this is considered low severity for WordPress and unlikely to be actively exploited [1].

Mitigation

The vulnerability is patched in version 6.4.19 [1]. Users should update immediately or enable auto-updates via Patchstack [1]. If unable to update, consulting a hosting provider or web developer is recommended [1].