Attack Vectors
CVE-2025-64250 is a Medium-severity (CVSS 5.8) Open Redirect affecting the WordPress plugin Directorist: AI-Powered Business Directory, Listings & Classified Ads (slug: directorist) in versions up to and including 8.6.6.
An unauthenticated attacker can attempt to redirect a visitor to an external destination by supplying a crafted redirect URL. In practice, this typically succeeds when the attacker can get a user to click a link, submit a form, or follow a workflow that triggers the redirect.
Because the redirect can originate from a domain your audience already trusts (your website), this issue is commonly paired with phishing and social engineering tactics to make malicious destinations appear legitimate.
Security Weakness
The vulnerability is caused by insufficient validation of a redirect URL supplied to the plugin, allowing a redirect to an attacker-chosen site.
Open Redirect issues do not typically expose data directly on their own, but they weaken a key trust boundary: users expect links and flows on your site to keep them on your site. When that expectation is broken, attackers can use your brand and domain reputation as leverage.
Reference: CVE-2025-64250. Source advisory: Wordfence Threat Intelligence.
Technical or Business Impacts
Brand and trust damage: Visitors who are unexpectedly redirected from your site to a malicious page may blame your organization, reducing confidence in campaigns, landing pages, and directory/listing experiences.
Phishing enablement: Attackers can embed the redirect into emails, ads, or DMs, using your domain to increase click-through rates and reduce suspicion—raising the likelihood of credential theft or payment fraud occurring off-site.
Compliance and incident response overhead: Even if no internal systems are breached, security and compliance teams may need to investigate reports, handle customer complaints, and document actions for auditors or partners.
Recommended remediation: Update Directorist to version 8.6.7 or newer (patched). After updating, validate that any redirects used in marketing flows (login, registration, listing submissions, “return to” links) only allow safe, intended destinations.
Similar Attacks
Open Redirect weaknesses are widely abused as part of phishing and brand-impersonation campaigns. For additional context on how these attacks work and how organizations mitigate them, see:
OWASP: Unvalidated Redirects and Forwards
Recent Comments