CVE-2025-64250

Directorist <= 8.6.6 - Unauthenticated Open Redirect

mediumURL Redirection to Untrusted Site ('Open Redirect')
5.8
CVSS Score
5.8
CVSS Score
medium
Severity
8.6.7
Patched in
121d
Time to patch

Description

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 8.6.6. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=8.6.6
PublishedDecember 15, 2025
Last updatedApril 14, 2026
Affected plugindirectorist

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-64250 (Directorist Open Redirect) ## 1. Vulnerability Summary The **Directorist** plugin (versions <= 8.6.6) contains an unauthenticated open redirect vulnerability. The flaw exists in how the plugin handles redirection parameters (typically `redirect_to` or …

Show full research plan

Exploitation Research Plan - CVE-2025-64250 (Directorist Open Redirect)

1. Vulnerability Summary

The Directorist plugin (versions <= 8.6.6) contains an unauthenticated open redirect vulnerability. The flaw exists in how the plugin handles redirection parameters (typically redirect_to or atbdp_redirect_to) during certain global actions or AJAX routines. Because the plugin uses the native WordPress wp_redirect() function without passing the input through wp_validate_redirect() or using wp_safe_redirect(), an attacker can provide an absolute URL to an external malicious domain, and the server will headers-redirect the user there.

2. Attack Vector Analysis

  • Endpoint: The vulnerability is likely reachable via a global hook (like init or template_redirect) using query parameters, or via the admin-ajax.php endpoint.
  • Action Trigger: atbdp_action=logout or atbdp_action=login (via GET) are primary candidates.
  • Vulnerable Parameter: redirect_to or atbdp_redirect_to.
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Entry Point: The plugin registers a listener on the init hook (often in includes/classes/class-helper.php or includes/functions.php) to process custom actions.
  2. Action Processing: The code checks for the existence of $_GET['atbdp_action'] or $_POST['atbdp_action'].
  3. Redirection Logic: If the action is logout or a login-related trigger, the plugin retrieves a redirection URL from the request: $url = $_REQUEST['redirect_to'];.
  4. The Sink: The plugin calls wp_redirect( $url ); followed by exit;.
  5. Vulnerability: Since wp_redirect allows any URL (including external ones) and no validation (like wp_validate_redirect) is performed, the redirect is "open."

4. Nonce Acquisition Strategy

Open redirects triggered via init hooks using GET parameters typically do not require nonces because they are designed to be used in simple links (e.g., a logout link).

If the exploit requires an AJAX action (e.g., action=atbdp_logout via admin-ajax.php), a nonce may be required.

  • Shortcode: [directorist_login_form]
  • Nonce Variable: atbdp_auth_config.nonce or directorist_common.nonce
  • Acquisition Steps:
    1. Create a page with the login form: wp post create --post_type=page --post_status=publish --post_content='[directorist_login_form]'
    2. Navigate to the page.
    3. Execute browser_eval("window.atbdp_auth_config?.nonce") to retrieve the token.

Note: The primary attack vector likely avoids nonces by using the GET-based init hook.

5. Exploitation Strategy

We will test two primary unauthenticated GET-based vectors.

Vector 1: Global Action (init hook)

  • Request Type: GET
  • URL: http://localhost:8080/?atbdp_action=logout&redirect_to=https://google.com
  • Alternative URL: http://localhost:8080/?directorist_action=logout&redirect_to=https://google.com

Vector 2: AJAX Endpoint

  • Request Type: GET (AJAX actions often support GET)
  • URL: http://localhost:8080/wp-admin/admin-ajax.php?action=atbdp_logout&redirect_to=https://google.com

Payload: https://google.com (Target of the redirect)

HTTP Request Details (Vector 1):

GET /?atbdp_action=logout&redirect_to=https://google.com HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0

6. Test Data Setup

  1. Plugin Installation: Ensure Directorist version 8.6.6 is installed and active.
  2. Permalinks: Set permalinks to "Post name" to ensure query vars are handled correctly: wp rewrite structure '/%postname%/' --flush.
  3. No Auth Needed: The exploit is unauthenticated, so no users need to be created, but having at least one active listing might be necessary if the plugin logic checks for directory content (unlikely for logout redirects).

7. Expected Results

  • Response Code: 302 Found
  • Header: Location: https://google.com
  • Body: Empty or standard WordPress redirect HTML.

8. Verification Steps

  1. Analyze Response Headers: Use the http_request tool and inspect the headers object in the response.
  2. Check Location: Confirm response.headers['location'] === 'https://google.com'.
  3. Manual Check: Attempt to navigate to the URL using browser_navigate and verify the final URL is https://google.com.

9. Alternative Approaches

If atbdp_action=logout fails, try:

  1. Login Action: /?atbdp_action=login&redirect_to=https://google.com (Some plugins redirect to the provided URL even if the login isn't attempted).
  2. Directory Type Vector: /?directory_type=general&atbdp_redirect_to=https://google.com
  3. Registration Redirect: /?atbdp_action=registration&redirect_to=https://google.com
  4. Parameter Variations: Try redirect, redirect_to, atbdp_redirect, and atbdp_redirect_to.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Directorist plugin for WordPress (<= 8.6.6) is vulnerable to an unauthenticated open redirect because it fails to validate user-provided URLs in redirection parameters. By using the native wp_redirect() function without proper validation or using wp_safe_redirect(), the plugin allows attackers to redirect users to any external malicious domain.

Vulnerable Code

// Likely in includes/classes/class-helper.php or includes/functions.php
if ( isset( $_GET['atbdp_action'] ) && $_GET['atbdp_action'] === 'logout' ) {
    $url = $_REQUEST['redirect_to'];
    wp_redirect( $url );
    exit;
}

Security Fix

--- a/includes/functions.php
+++ b/includes/functions.php
@@ -10,2 +10,2 @@
-    $url = $_REQUEST['redirect_to'];
-    wp_redirect( $url );
+    $url = $_REQUEST['redirect_to'];
+    wp_safe_redirect( $url );

Exploit Outline

The exploit is executed by crafting a GET request to the WordPress site using specific action triggers monitored by the plugin. An unauthenticated attacker can append query parameters such as `atbdp_action=logout` and `redirect_to=https://malicious-site.com` to the home page URL. When the server processes this request, it retrieves the URL from the `redirect_to` parameter and performs a header-based redirect to the external site without verifying if the domain is local or trusted. No nonces or authentication are typically required for this global action.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.