Directorist <= 8.6.6 - Unauthenticated Open Redirect
Description
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 8.6.6. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:NTechnical Details
<=8.6.6Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2025-64250 (Directorist Open Redirect) ## 1. Vulnerability Summary The **Directorist** plugin (versions <= 8.6.6) contains an unauthenticated open redirect vulnerability. The flaw exists in how the plugin handles redirection parameters (typically `redirect_to` or …
Show full research plan
Exploitation Research Plan - CVE-2025-64250 (Directorist Open Redirect)
1. Vulnerability Summary
The Directorist plugin (versions <= 8.6.6) contains an unauthenticated open redirect vulnerability. The flaw exists in how the plugin handles redirection parameters (typically redirect_to or atbdp_redirect_to) during certain global actions or AJAX routines. Because the plugin uses the native WordPress wp_redirect() function without passing the input through wp_validate_redirect() or using wp_safe_redirect(), an attacker can provide an absolute URL to an external malicious domain, and the server will headers-redirect the user there.
2. Attack Vector Analysis
- Endpoint: The vulnerability is likely reachable via a global hook (like
initortemplate_redirect) using query parameters, or via theadmin-ajax.phpendpoint. - Action Trigger:
atbdp_action=logoutoratbdp_action=login(via GET) are primary candidates. - Vulnerable Parameter:
redirect_tooratbdp_redirect_to. - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active.
3. Code Flow
- Entry Point: The plugin registers a listener on the
inithook (often inincludes/classes/class-helper.phporincludes/functions.php) to process custom actions. - Action Processing: The code checks for the existence of
$_GET['atbdp_action']or$_POST['atbdp_action']. - Redirection Logic: If the action is
logoutor a login-related trigger, the plugin retrieves a redirection URL from the request:$url = $_REQUEST['redirect_to'];. - The Sink: The plugin calls
wp_redirect( $url );followed byexit;. - Vulnerability: Since
wp_redirectallows any URL (including external ones) and no validation (likewp_validate_redirect) is performed, the redirect is "open."
4. Nonce Acquisition Strategy
Open redirects triggered via init hooks using GET parameters typically do not require nonces because they are designed to be used in simple links (e.g., a logout link).
If the exploit requires an AJAX action (e.g., action=atbdp_logout via admin-ajax.php), a nonce may be required.
- Shortcode:
[directorist_login_form] - Nonce Variable:
atbdp_auth_config.nonceordirectorist_common.nonce - Acquisition Steps:
- Create a page with the login form:
wp post create --post_type=page --post_status=publish --post_content='[directorist_login_form]' - Navigate to the page.
- Execute
browser_eval("window.atbdp_auth_config?.nonce")to retrieve the token.
- Create a page with the login form:
Note: The primary attack vector likely avoids nonces by using the GET-based init hook.
5. Exploitation Strategy
We will test two primary unauthenticated GET-based vectors.
Vector 1: Global Action (init hook)
- Request Type: GET
- URL:
http://localhost:8080/?atbdp_action=logout&redirect_to=https://google.com - Alternative URL:
http://localhost:8080/?directorist_action=logout&redirect_to=https://google.com
Vector 2: AJAX Endpoint
- Request Type: GET (AJAX actions often support GET)
- URL:
http://localhost:8080/wp-admin/admin-ajax.php?action=atbdp_logout&redirect_to=https://google.com
Payload: https://google.com (Target of the redirect)
HTTP Request Details (Vector 1):
GET /?atbdp_action=logout&redirect_to=https://google.com HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0
6. Test Data Setup
- Plugin Installation: Ensure Directorist version 8.6.6 is installed and active.
- Permalinks: Set permalinks to "Post name" to ensure query vars are handled correctly:
wp rewrite structure '/%postname%/' --flush. - No Auth Needed: The exploit is unauthenticated, so no users need to be created, but having at least one active listing might be necessary if the plugin logic checks for directory content (unlikely for logout redirects).
7. Expected Results
- Response Code:
302 Found - Header:
Location: https://google.com - Body: Empty or standard WordPress redirect HTML.
8. Verification Steps
- Analyze Response Headers: Use the
http_requesttool and inspect theheadersobject in the response. - Check Location: Confirm
response.headers['location'] === 'https://google.com'. - Manual Check: Attempt to navigate to the URL using
browser_navigateand verify the final URL ishttps://google.com.
9. Alternative Approaches
If atbdp_action=logout fails, try:
- Login Action:
/?atbdp_action=login&redirect_to=https://google.com(Some plugins redirect to the provided URL even if the login isn't attempted). - Directory Type Vector:
/?directory_type=general&atbdp_redirect_to=https://google.com - Registration Redirect:
/?atbdp_action=registration&redirect_to=https://google.com - Parameter Variations: Try
redirect,redirect_to,atbdp_redirect, andatbdp_redirect_to.
Summary
The Directorist plugin for WordPress (<= 8.6.6) is vulnerable to an unauthenticated open redirect because it fails to validate user-provided URLs in redirection parameters. By using the native wp_redirect() function without proper validation or using wp_safe_redirect(), the plugin allows attackers to redirect users to any external malicious domain.
Vulnerable Code
// Likely in includes/classes/class-helper.php or includes/functions.php if ( isset( $_GET['atbdp_action'] ) && $_GET['atbdp_action'] === 'logout' ) { $url = $_REQUEST['redirect_to']; wp_redirect( $url ); exit; }
Security Fix
@@ -10,2 +10,2 @@ - $url = $_REQUEST['redirect_to']; - wp_redirect( $url ); + $url = $_REQUEST['redirect_to']; + wp_safe_redirect( $url );
Exploit Outline
The exploit is executed by crafting a GET request to the WordPress site using specific action triggers monitored by the plugin. An unauthenticated attacker can append query parameters such as `atbdp_action=logout` and `redirect_to=https://malicious-site.com` to the home page URL. When the server processes this request, it retrieves the URL from the `redirect_to` parameter and performs a header-based redirect to the external site without verifying if the domain is local or trusted. No nonces or authentication are typically required for this global action.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.