what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Directorist 7.5.4 Insecure Direct Object Reference / Privilege Escalation

WordPress Directorist 7.5.4 Insecure Direct Object Reference / Privilege Escalation
Posted Jun 8, 2023
Authored by Alex Thomas | Site wordfence.com

WordPress Directorist plugin versions 7.5.4 and below suffer from insecure direct object reference and privilege escalation vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2023-1888, CVE-2023-1889
SHA-256 | a15e7fd8c5bc9d777f92de320392c7f33636ed93ea834586dbd8b300720116dd

WordPress Directorist 7.5.4 Insecure Direct Object Reference / Privilege Escalation

Change Mirror Download
Alongside our usual work to discover, report, and remediate vulnerabilities in the WordPress ecosystem, the WordPress Threat Intelligence team has been conducting a deep-dive into WordPress plugin code with the objective of finding methods to bypass authentication and gain elevated privileges in WordPress plugins so we can help developers patch these vulnerabilities before threat actors can exploit them.

One such plugin we examined recently is Directorist, a popular tool used by over 10,000 WordPress sites to manage directory listings and classified ads.

On April 3, 2023, our team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting these vulnerabilities on April 4, 2023. Sites still using the free version of Wordfence received the same protection on May 4, 2023.

Unfortunately, on June 1, 2023, the plugin was closed due to developer unresponsiveness, and it currently remains unavailable for download from the repository. This presents an issue as site owners are unable to request an update directly via their WordPress dashboard. Given this situation, we advise site owners to either temporarily uninstall the plugin, or manually download the patched version, 7.5.5, and upload it to their sites for optimal protection. For this reason, we have intentionally kept specific vulnerability details to a minimum in this post.


Vulnerability Summaries from Wordfence Intelligence

Description: Directorist <= 7.5.4 - Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation

Affected Plugin: Directorist – WordPress Business Directory Plugin with Classified Ads Listings

Plugin Slug: directorist

Affected Versions: <= 7.5.4

CVE ID: CVE-2023-1888

CVSS Score: 8.8 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Alex Thomas

Fully Patched Version: 7.5.5

The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset the password of an arbitrary user and gain elevated (e.g., administrator) privileges.

Description: Directorist <= 7.5.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task

Affected Plugin: Directorist – WordPress Business Directory Plugin with Classified Ads Listings

Plugin Slug: directorist

Affected Versions: <= 7.5.4

CVE ID: CVE-2023-1889

CVSS Score: 7.2 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Researcher/s: Alex Thomas

Fully Patched Version: 7.5.5

The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listing_task function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.

Technical Analysis

Password Reset Vulnerability

Directorist, created by wpWax, is designed to help businesses establish directory listings and classified ads on their WordPress sites. It includes a Login and Registration form that can be enabled using the [directorist_user_login] shortcode.

The Directorist Login and Registration form

This form features a “Recover Password” function, akin to the default WordPress “lost your password?” feature. In vulnerable versions, the underlying code lacks essential validation checks to ensure that the user attempting to reset a password is indeed the account owner. This could allow attackers with subscriber-level permissions or higher to reset the passwords of other users, including administrators, thereby gaining unauthorized elevated privileges and taking over the site.

Directorist “Recover Password” logic

Arbitrary Post Deletion Vulnerability

In addition, we found an arbitrary post deletion vulnerability in the plugin. Directorist listings are essentially custom WordPress posts. In vulnerable versions, the code designed to manage listing deletions lacks the necessary authorization checks to confirm the user is permitted to delete the listing and does not verify that the post being deleted is a Directorist listing. Consequently, this could enable threat actors with subscriber-level and above permissions to delete any post on a WordPress instance, including posts by administrators.

Directorist directory listing deletion logic

Disclosure Timeline

April 3, 2023 – The Wordfence Threat Intelligence team discovers and documents two vulnerabilities in Directorist.

April 4, 2023 – The Wordfence Threat Intelligence team releases firewall rules to Wordfence Premium, Wordfence Care, and Wordfence Response users and begins the responsible disclosure process.

May 4, 2023 – Wordfence Free users receive the firewall rules.

June 1, 2023 – The plugin developers release a patch in version 7.5.5 of Directorist.

Conclusion

In this blog post, we reviewed two vulnerabilities in our ongoing vulnerability research focused on bypassing authentication and gaining elevated privileges – an Arbitrary User Password Reset to Privilege Escalation that allows threat actors to gain full control of a WordPress instance, and a less-severe Insecure Direct Object Reference to Arbitrary Post Deletion, both in Directorist versions 7.5.4 and prior.

The Wordfence Threat Intelligence team reported these vulnerabilities to the Directorist team on April 4, 2023, following responsible disclosure protocols. The Directorist team addressed these vulnerabilities and released the patch in Directorist version 7.5.5 on June 1, 2023.

We recommend all users update their Directorist plugin to the newest version available, which is 7.5.5 at the time of this writing, immediately to secure their websites.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting these vulnerabilities on April 4, 2023. Sites still using the free version of Wordfence received the same protection on May 4, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close