Attack Vectors

Simple Business Directory Pro (slug: simple-business-directory-pro) is affected by a Critical vulnerability (CVSS 9.8; CVE-2025-31918) that can be exploited remotely over the internet.

The most concerning aspect for business owners is that the reported issue allows an attacker to act without needing a login. In practical terms, an external attacker can target any WordPress site running vulnerable versions of the plugin and attempt to create an account with elevated permissions.

Security Weakness

According to Wordfence, all versions of Simple Business Directory Pro up to, but not including, 15.6.9 are vulnerable to unauthenticated privilege escalation, which can enable an attacker to register as an administrator.

This is a high-risk class of weakness because it bypasses normal access controls: instead of breaking in by guessing passwords, the attacker may be able to create an administrator-level identity and then use legitimate admin features to take over the site.

Remediation: Update to version 15.6.9 or newer (patched). Source: Wordfence vulnerability record.

Technical or Business Impacts

If exploited, this vulnerability can lead to full website compromise, including the ability to change site content, add backdoor accounts, install malicious plugins, redirect traffic to scam pages, or exfiltrate data accessible through the WordPress admin interface. Because the attacker can become an administrator, the impact typically extends beyond the directory plugin itself.

For marketing and revenue teams, the business fallout can be immediate: website defacement, SEO spam, unauthorized redirects that harm campaign performance, lead-capture form tampering, and loss of visitor trust. For leadership and compliance stakeholders, the risk includes potential exposure of customer or partner information, incident response costs, downtime, and regulatory or contractual notification obligations depending on what data is accessed.

Similar attacks (real examples): Large-scale exploitation of WordPress privilege escalation and access-control issues has occurred before, including the Essential Addons for Elementor privilege escalation vulnerability, the File Manager plugin zero-day, and the recent WordPress ecosystem update-related supply-chain concerns. These incidents show how quickly attackers weaponize high-impact WordPress issues once publicized.