WordPress Plugin Vulnerabilities

Directorist < 7.5.5 - Subscriber+ Insecure Direct Object Reference to Arbitrary Post Deletion

Description

The plugin does not properly validate that users are authorized to delete a given listing, or that it is a listing at all, making it possible for less-privileged users like subscribers to delete posts.

Affects Plugins

Plugin icon
directorist
Fixed in 7.5.5

References

CVE
CVE-2023-1889
URL
https://www.wordfence.com/blog/2023/06/critical-security-update-directorist-wordpress-plugin-patches-two-high-risk-vulnerabilities/

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
Yes
WPVDB ID
9e5a95c4-f566-4cf3-85e6-c95a1739a4b5

Timeline

Publicly Published
2023-06-07 (about 2 years ago)
Added
2023-06-07 (about 2 years ago)
Last Updated
2023-06-07 (about 2 years ago)

Other

Published
Title
Published
2026-03-20
Title
REST API TO MiniProgram <= 5.1.2 - Subscriber+ Insecure Direct Object Reference via 'userid'
Published
2023-09-12
Title
wpDiscuz < 7.6.4 - Post Rating Increase/Decrease iva IDOR
Published
2021-09-22
Title
WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise
Published
2025-12-11
Title
Ultra Addons for Contact Form 7 < 3.5.34 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF
Published
2023-11-23
Title
Accept Stripe Payments < 2.0.80 - Insecure Direct Object Reference