WordPress Plugin Vulnerabilities

Directorist < 7.3.1 - Unauthenticated Email Address Disclosure

Description

The plugin discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users

Proof of Concept

Affects Plugins

Plugin icon
directorist
Fixed in 7.3.1

References

CVE
CVE-2022-2376

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Submitter twitter
kazet1234
Verified
Yes
WPVDB ID
437c4330-376a-4392-86c6-c4c7ed9583ad

Timeline

Publicly Published
2022-08-10 (about 3 years ago)
Added
2022-08-10 (about 3 years ago)
Last Updated
2023-05-07 (about 2 years ago)

Other

Published
Title
Published
2025-07-30
Title
TheBooking <= 1.4.4 - Missing Authorization
Published
2022-05-13
Title
Files Download Delay < 1.0.7 - Subscriber+ Settings Reset
Published
2024-07-01
Title
Woffice Core < 5.4.9 - Missing Authorization
Published
2025-01-06
Title
RSVP and Event Management < 2.7.14 - Missing Authorization
Published
2025-09-03
Title
Classified Listing < 5.0.7 - Missing Authorization