CVE-2024-1322: Directorist WordPress Plugin Vulnerability - Unauthorized Data Modification in the Business Directory Plugin with Classified Ads Listings

Recently, a significant vulnerability has been discovered in the popular Directorist - WordPress Business Directory Plugin with Classified Ads Listings. Unauthenticated attackers can take advantage of this vulnerability, dubbed as CVE-2024-1322, to modify the plugin's data. This post will elaborate on the vulnerability's details, including the affected versions, code snippets, and original reference links. It also provides information regarding the vulnerability's exploitation.

Affected Versions

CVE-2024-1322 affects all versions up to and including 7.8.4 of the Directorist - WordPress Business Directory Plugin with Classified Ads Listings.

Vulnerability Details

This vulnerability exists due to a missing capability check within the 'setup_wizard' function. Consequently, an unauthenticated attacker can exploit it to recreate default pages and manipulate essential settings, such as enabling or disabling monetization and changing the map provider. In effect, this could severely impact the plugin's overall functionality and jeopardize your directory's integrity.

Code Snippet

A code excerpt highlighting the vulnerability within the plugin's directorist-setup.php file is as follows:

function setup_wizard() {
    if (empty($_GET['page']) || 'directorist-setup' !== $_GET['page']) {
        return;
    }
    $this->setup_wizard_header();
    ?>
    
    <form method="post">
        <?php
            // Function calls to create the individual steps within the setup wizard
            $this->setup_wizard_default_pages_step();
            $this->setup_wizard_map_provider_step();
            $this->setup_wizard_monetization_step();
        ?>
    </form>

In the code snippet above, there is an absence of an is_user_logged_in() or current_user_can( 'manage_options' ) check. This omission results in the possibility of unauthorized exploitation by unauthenticated users.

Exploit Details

An attacker would typically exploit this vulnerability by sending a crafted HTTP request to the affected WordPress installation URL.

POST /wp-admin/admin.php?page=directorist-setup HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: [length]

step=default_pages&nonce=defaultpagesnonce_YOUR_NONCE_HERE&submit=Let%27s+Go%21

The attacker would replace YOUR_NONCE_HERE with a valid nonce. The request above recreates the default pages, but other payloads can be injected in a similar fashion to enable or disable monetization and alter the map provider.

For more details about this vulnerability, you can refer to the following sources

1. Vulnerability Database - CVE Details
2. WPScan Vulnerability Report

Conclusion

CVE-2024-1322 is a critical vulnerability within the Directorist - WordPress Business Directory Plugin with Classified Ads Listings. It allows unauthenticated attackers to modify essential settings and pages, potentially causing severe damage to the affected websites. It is highly recommended to update the plugin to the latest version or apply the necessary security patch to secure your WordPress installation from potential attacks.

Remember to always keep your plugins and WordPress installations updated and secure to avoid being a victim of cyberattacks.

Timeline

Published on: 02/29/2024 01:43:47 UTC
Last modified on: 02/29/2024 13:49:29 UTC