WordPress Plugin Vulnerabilities

Business Directory Plugin < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS

Description

The plugin suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues.

Note (WPScanTeam): The CSRF has ben fixed and proper capability checks have also been added in 5.11.1, however some sanitisation was still missing, still allowing XSS via a high privilege account in other pages and a different issue has been created for it

Proof of Concept

Affects Plugins

Plugin icon
business-directory-plugin
Fixed in 5.11.1

References

CVE
CVE-2021-24178

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
0xB9
Submitter
0xB9
Submitter twitter
0xB9sec
Verified
Yes
WPVDB ID
700f3b04-8298-447c-8d3c-4581880a63b5

Timeline

Publicly Published
2021-04-11 (about 4 years ago)
Added
2021-04-12 (about 4 years ago)
Last Updated
2021-04-15 (about 4 years ago)

Other

Published
Title
Published
2025-06-27
Title
WP YouTube Live <= 1.10.0 - Cross-Site Request Forgery
Published
2020-09-26
Title
Hueman < 3.6.4 - Arbitrary Settings Update via CSRF
Published
2025-01-29
Title
CP Contact Form with PayPal < 1.3.53 - Cross-Site Request Forgery
Published
2023-03-03
Title
About Me 3000 widget <= 2.2.6 - CSRF
Published
2023-12-28
Title
NEX-Forms – Ultimate Form Builder < 8.5.5 - Cross-Site Request Forgery