CVE-2021-24981 — Cross-Site Request Forgery in Directorist

CWE-352 — Cross-Site Request Forgery CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 54.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wpwax Directorist

Timeline

PublishedDec 21

Latest updateDec 22

Description

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages1 packages

▶NVDwpwax/directorist< 7.0.6.2

🔴Vulnerability Details

GHSA

GHSA-g47h-745c-4p4f: The Directorist WordPress plugin before 7↗2021-12-22

▶

CVEList

Directorist – Business Directory Plugin < 7.0.6.2 - CSRF to Remote File Upload↗2021-12-21

▶

VulnCheck

wpwax directorist Cross-Site Request Forgery (CSRF)↗2021

▶