WordPress Plugin Vulnerabilities

Business Directory Plugin < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS

Description

The plugin suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues.

Note (WPScanTeam): The CSRF has ben fixed and proper capability checks have also been added in 5.11.1, however some sanitisation was still missing, still allowing XSS via a high privilege account in other pages and a different issue has been created for it

Proof of Concept

Affects Plugins

Plugin icon
business-directory-plugin
Fixed in 5.11.1

References

CVE
CVE-2021-24178

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
0xB9
Submitter
0xB9
Submitter twitter
0xB9sec
Verified
Yes
WPVDB ID
700f3b04-8298-447c-8d3c-4581880a63b5

Timeline

Publicly Published
2021-04-11 (about 4 years ago)
Added
2021-04-12 (about 4 years ago)
Last Updated
2021-04-15 (about 4 years ago)

Other

Published
Title
Published
2025-01-27
Title
FlashCounter <= 1.1.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-09-12
Title
Quiz And Survey Master < 8.1.16 - Cross-Site Request Forgery via 'display_results'
Published
2023-04-06
Title
WP Fatest Cache < 1.1.3 - Multiple CSRF
Published
2025-08-25
Title
Savyour Affiliate Partner <= 2.1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-22
Title
Force Update Translations <= 0.5 - Cross-Site Request Forgery