CVE-2025-64243

Vulnerability

Overview

The Directory Pro plugin by e-plugins contains a missing authorization vulnerability (CVE-2025-64243) in versions up to 2.5.6. The plugin fails to properly validate user permissions when executing certain functions, allowing unauthenticated or low-privileged users to access capabilities reserved for higher-privileged roles. This issue stems from incorrect configuration of access control security levels [1].

Exploitation

Attackers can exploit this flaw by sending crafted requests to vulnerable endpoints without needing prior authentication. The vulnerability is particularly concerning because it is reportedly used in mass-exploit campaigns that target thousands of WordPress sites, regardless of their size or popularity [1]. No special prerequisites are required beyond network access to the target site.

Impact

Successful exploitation can enable an attacker to perform actions such as modifying directory listings, altering plugin settings, or gaining unintended privileges. The CVSS v3 base score of 4.3 (Medium) reflects the low complexity and limited confidentiality/integrity impact, but the lack of authentication requirements makes it attractive for automated attacks.

Mitigation

As the only effective mitigation, users must update the Directory Pro plugin to a patched version immediately. If an update is unavailable, users should contact their hosting provider or a web developer for assistance [1]. No workarounds are mentioned.