CVE-2025-1570
Published: 28 February 2025
Summary
CVE-2025-1570 is a high-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Wpwax Directorist. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 49.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Limits consecutive invalid logon attempts, directly preventing brute-force attacks on OTPs during password resets.
Requires secure management of authenticators like OTPs, including strength requirements, secure generation, distribution, and protections against unauthorized brute-force or reset requests.
Mandates timely flaw remediation, such as patching the vulnerable directorist_generate_password_reset_pin_code() and reset_user_password() functions to fix inadequate OTP controls.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables brute force attacks (T1110) on OTP codes in the password reset functions due to insufficient controls, allowing unauthenticated attackers to reset any user's password, including administrators, resulting in account takeover.
NVD Description
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 8.1. This is due to the directorist_generate_password_reset_pin_code() and reset_user_password() functions not having…
more
enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.
Deeper analysisAI
CVE-2025-1570 is a privilege escalation vulnerability via account takeover affecting the Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings for WordPress in all versions up to and including 8.1. The flaw arises from inadequate controls in the directorist_generate_password_reset_pin_code() and reset_user_password() functions, which fail to prevent brute force attacks on one-time passwords (OTPs) or verify that password reset requests originate from authorized users. This CWE-640 issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentially, integrity, and availability impacts.
Unauthenticated attackers can exploit this vulnerability remotely over the network, though it requires high attack complexity. By generating OTPs and brute-forcing them, attackers can reset passwords for any user account, including administrators, achieving full account takeover and subsequent control over the WordPress site.
Advisories reference a patch in the WordPress plugins trac at changeset 3246340 for Directorist, with additional details available in Wordfence threat intelligence. Security practitioners should update to a plugin version beyond 8.1 to mitigate the issue.
Details
- CWE(s)