Critical Security Update: Directorist WordPress Plugin Patches Two High-risk Vulnerabilities

On April 3, 2023, the WordFence team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier.

Sites using the free version of Wordfence received a firewall rule to protect against any exploits targeting these vulnerabilities on May 4, 2023.

Unfortunately, on June 1, 2023, the plugin was closed due to developer unresponsiveness, and it currently remains unavailable for download from the repository. This presents an issue as site owners are unable to request an update directly via their WordPress dashboard. Given this situation, we advise site owners to either temporarily uninstall the plugin, or manually download the patched version, 7.5.5, directly from the developer’s site and upload it to their sites for optimal protection. For this reason, we have intentionally kept specific vulnerability details to a minimum in this post.

Source and more details:

Posted in Vulnerability.