WordPress Plugin Vulnerabilities

Directorist < 7.8.5 - Missing Authorization to Unauthenticated Settings Change

Description

The Directorist – WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 7.8.4. This makes it possible for unauthenticated attackers to recreate default pages and enable or disable monetization and change map provider.

Affects Plugins

Plugin icon
directorist
Fixed in 7.8.5

References

CVE
CVE-2024-1322
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e958-4850-451b-88eb-d48fc0c7feb7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
b7a0c177-75e7-4295-a3f4-5aa84dac2d93

Timeline

Publicly Published
2024-02-12 (about 2 years ago)
Added
2024-02-12 (about 2 years ago)
Last Updated
2024-02-12 (about 2 years ago)

Other

Published
Title
Published
2026-01-16
Title
RepairBuddy < 4.1121 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders
Published
2025-11-18
Title
WSChat – WordPress Live Chat < 3.1.7 - Missing Authorization to Authenticated (Subscriber+) Settings Reset
Published
2025-12-11
Title
Reformer for Elementor <= 1.0.6 - Missing Authorization
Published
2024-07-18
Title
YITH Essential Kit for WooCommerce #1 < 2.35.0 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install, Activation, and Deactivation
Published
2025-05-01
Title
OTP-less one tap Sign in 2.0.14 - 2.0.59 - Unauthenticated Arbitrary Email Update to Account Takeover/Privilege Escalation