CVE-2025-67975
📋 TL;DR
This CVE describes a Missing Authorization vulnerability in the aDirectory WordPress plugin that allows attackers to bypass access controls. It affects all versions up to and including 3.0.3, potentially enabling unauthorized access to restricted functionality or data.
💻 Affected Systems
- aDirectory WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the WordPress site through privilege escalation, data exfiltration, or unauthorized administrative actions.
Likely Case
Unauthorized access to sensitive directory listings, user data, or plugin functionality that should be restricted.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and additional authorization layers are implemented.
🎯 Exploit Status
Missing authorization vulnerabilities typically require minimal technical skill to exploit once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.0.3
Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/adirectory/vulnerability/wordpress-adirectory-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Locate aDirectory plugin
4. Check for available updates
5. Update to latest version
6. Verify plugin functionality after update
🔧 Temporary Workarounds
Disable aDirectory Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate adirectory
Implement Web Application Firewall Rules
allBlock suspicious requests targeting aDirectory endpoints
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the WordPress site
- Enable detailed logging and monitoring for unauthorized access attempts to aDirectory functionality
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for aDirectory version 3.0.3 or earlierCheck Version:
wp plugin get adirectory --field=versionVerify Fix Applied:
Verify aDirectory plugin version is greater than 3.0.3 and test access control functionality📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to aDirectory-specific endpoints
- 403 errors followed by successful 200 responses to restricted paths
Network Indicators:
- Unusual HTTP requests to /wp-content/plugins/adirectory/ paths
- Requests bypassing authentication to plugin endpoints
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-content/plugins/adirectory/" OR user_agent CONTAINS "adirectory") AND response_code=200 AND auth_status="failed"