CVE-2025-67596

The Business Directory plugin for WordPress (versions up to and including 6.4.19) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from insufficient verification of the origin of requests, allowing an attacker to craft malicious links that, when clicked by an authenticated administrator or other privileged user, perform unauthorized actions on the victim's behalf [1].

The exploitation requires user interaction — a privileged user must click a crafted link or visit a malicious page while logged into the WordPress admin area. No authentication is needed for the attacker themselves, but the victim must have an active session with sufficient privileges [1]. This attack vector is commonly used in mass exploitation campaigns targeting multiple websites simultaneously [1].

If successfully exploited, an attacker can force the victim to perform unintended actions, such as modifying plugin settings, deleting directory entries, or other administrative operations the victim is authorized to perform. The CVSS score of 4.3 (Medium) reflects the requirement for user interaction and the need for a privileged victim [1].

The vendor has released version 6.4.20 which resolves the vulnerability. The recommended mitigation is to update to this latest version; Patchstack users can enable auto-update for affected plugins [1].