CVE-2025-60120: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the WordPress WP Directory Kit plugin affecting versions through 1.3.8. The vulnerability was identified on September 26, 2025, and was assigned CVE-2025-60120. The security flaw allows exploiting incorrectly configured access control security levels in the plugin (NVD, Patchstack).

The vulnerability has been classified as a Broken Access Control issue with a CVSS v3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is categorized under CWE-862 (Missing Authorization) and requires no authentication to exploit (Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. The security issue has been assessed as having a low severity impact, though it affects the confidentiality of the system (Patchstack).

No official fix is currently available for this vulnerability. The software is considered abandoned as it hasn't been updated for over a year. The recommended mitigation strategy is to remove and replace the software with an alternative solution (Patchstack).

The vulnerability was initially reported by security researcher Bao from BlueRock on August 25, 2025. Patchstack issued an early warning to their customers on September 26, 2025, before publishing the vulnerability publicly on September 28, 2025 (Patchstack).