Alongside our usual work to discover, report, and remediate vulnerabilities in the WordPress ecosystem, the WordPress Threat Intelligence team has been conducting a deep-dive into WordPress plugin code with the objective of finding methods to bypass authentication and gain elevated privileges in WordPress plugins so we can help developers patch these vulnerabilities before threat actors can exploit them. One such plugin we examined recently is Directorist, a popular tool used by over 10,000 WordPress sites to manage directory listings and classified ads. On April 3, 2023, our team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier. Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting these vulnerabilities on April 4, 2023. Sites still using the free version of Wordfence received the same protection on May 4, 2023. Unfortunately, on June 1, 2023, the plugin was closed due to developer unresponsiveness, and it currently remains unavailable for download from the repository. This presents an issue as site owners are unable to request an update directly via their WordPress dashboard. Given this situation, we advise site owners to either temporarily uninstall the plugin, or manually download the patched version, 7.5.5, and upload it to their sites for optimal protection. For this reason, we have intentionally kept specific vulnerability details to a minimum in this post. Vulnerability Summaries from Wordfence Intelligence Description: Directorist <= 7.5.4 - Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation Affected Plugin: Directorist – WordPress Business Directory Plugin with Classified Ads Listings Plugin Slug: directorist Affected Versions: <= 7.5.4 CVE ID: CVE-2023-1888 CVSS Score: 8.8 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Researcher/s: Alex Thomas Fully Patched Version: 7.5.5 The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset the password of an arbitrary user and gain elevated (e.g., administrator) privileges. Description: Directorist <= 7.5.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task Affected Plugin: Directorist – WordPress Business Directory Plugin with Classified Ads Listings Plugin Slug: directorist Affected Versions: <= 7.5.4 CVE ID: CVE-2023-1889 CVSS Score: 7.2 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Researcher/s: Alex Thomas Fully Patched Version: 7.5.5 The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listing_task function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts. Technical Analysis Password Reset Vulnerability Directorist, created by wpWax, is designed to help businesses establish directory listings and classified ads on their WordPress sites. It includes a Login and Registration form that can be enabled using the [directorist_user_login] shortcode. The Directorist Login and Registration form This form features a “Recover Password” function, akin to the default WordPress “lost your password?” feature. In vulnerable versions, the underlying code lacks essential validation checks to ensure that the user attempting to reset a password is indeed the account owner. This could allow attackers with subscriber-level permissions or higher to reset the passwords of other users, including administrators, thereby gaining unauthorized elevated privileges and taking over the site. Directorist “Recover Password” logic Arbitrary Post Deletion Vulnerability In addition, we found an arbitrary post deletion vulnerability in the plugin. Directorist listings are essentially custom WordPress posts. In vulnerable versions, the code designed to manage listing deletions lacks the necessary authorization checks to confirm the user is permitted to delete the listing and does not verify that the post being deleted is a Directorist listing. Consequently, this could enable threat actors with subscriber-level and above permissions to delete any post on a WordPress instance, including posts by administrators. Directorist directory listing deletion logic Disclosure Timeline April 3, 2023 – The Wordfence Threat Intelligence team discovers and documents two vulnerabilities in Directorist. April 4, 2023 – The Wordfence Threat Intelligence team releases firewall rules to Wordfence Premium, Wordfence Care, and Wordfence Response users and begins the responsible disclosure process. May 4, 2023 – Wordfence Free users receive the firewall rules. June 1, 2023 – The plugin developers release a patch in version 7.5.5 of Directorist. Conclusion In this blog post, we reviewed two vulnerabilities in our ongoing vulnerability research focused on bypassing authentication and gaining elevated privileges – an Arbitrary User Password Reset to Privilege Escalation that allows threat actors to gain full control of a WordPress instance, and a less-severe Insecure Direct Object Reference to Arbitrary Post Deletion, both in Directorist versions 7.5.4 and prior. The Wordfence Threat Intelligence team reported these vulnerabilities to the Directorist team on April 4, 2023, following responsible disclosure protocols. The Directorist team addressed these vulnerabilities and released the patch in Directorist version 7.5.5 on June 1, 2023. We recommend all users update their Directorist plugin to the newest version available, which is 7.5.5 at the time of this writing, immediately to secure their websites. Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting these vulnerabilities on April 4, 2023. Sites still using the free version of Wordfence received the same protection on May 4, 2023. If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk. For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.