CVE-2025-10488
Published: 25 October 2025
Summary
CVE-2025-10488 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through patching the Directorist plugin to address the insufficient file path validation flaw.
Mandates validation of information inputs, including file paths in AJAX actions, to prevent path traversal and arbitrary file moves.
Provides integrity monitoring of files and software to detect unauthorized movements or modifications resulting from exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the WordPress plugin enables unauthenticated exploitation of a public-facing application through arbitrary file moves in an AJAX endpoint, facilitating remote code execution.
NVD Description
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes…
more
it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Deeper analysisAI
CVE-2025-10488 is an arbitrary file move vulnerability in the Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress, caused by insufficient file path validation in the add_listing_action AJAX action. It affects all versions up to and including 8.4.8. The issue, published on 2025-10-25, carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Unauthenticated attackers can exploit the vulnerability to move arbitrary files on the server. By targeting critical files such as wp-config.php, this can readily result in remote code execution.
References include WordPress plugin trac browser source code at line 634 in class-add-listing.php for version 8.4.5, a related changeset, and a Wordfence threat intelligence advisory, which collectively point to patching via code changes in later versions.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects the Directorist WordPress plugin, branded as 'AI-Powered Business Directory,' indicating AI-related functionality, but the issue is a general web vulnerability (arbitrary file move) not specific to AI components. Fits 'Other Platforms' as it is an AI-enhanced plugin/platform.