WordPress Plugin Vulnerabilities

Directorist: AI-Powered Business Directory < 8.2 - Privilege Escalation and Account Takeover

Description

The plugin is vulnerable to privilege escalation via account takeover due to the directorist_generate_password_reset_pin_code() and reset_user_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.

Affects Plugins

Plugin icon
directorist
Fixed in 8.2

References

CVE
CVE-2025-1570
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/853562ed-7f2e-453c-b3d0-67c90bd0231f

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.1 (high)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
99ec9521-a17e-47ea-ac37-0a3acde1e2ff

Timeline

Publicly Published
2025-02-27 (about 1 year ago)
Added
2025-03-06 (about 1 year ago)
Last Updated
2025-03-06 (about 1 year ago)

Other

Published
Title
Published
2025-03-07
Title
Javo Core < 3.0.0.266 - Unauthenticated Privilege Escalation in ajax_signup
Published
2025-01-14
Title
User Management <= 1.2 - Authenticated (Subscriber+) Privilege Escalation
Published
2026-01-08
Title
Frontend Admin by DynamiApps < 3.28.30 - Unauthenticated Privilege Escalation to Administrator via Role Form Field
Published
2025-05-22
Title
Simple Business Directory Pro <= 15.4.8 - Unauthenticated Privilege Escalation
Published
2024-12-19
Title
SSL Wireless SMS Notification < 3.7.0 - Unauthenticated Privilege Escalation