CVE-2024-1322 - Vulnerability Details - OpenCVE

ReportizFlow

The Directorist – WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 7.8.4. This makes it possible for unauthenticated attackers to recreate default pages and enable or disable monetization and change map provider.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Wpwax	Directorist

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/directorist/tags/7.8.4/includes/classes/class-setup-wizard.php#L300
https://plugins.trac.wordpress.org/changeset?old_path=%2Fdirectorist%2Ftags%2F7.8.4&old=3034765&new_path=%2Fdirectorist%2Ftags%2F7.8.5&new=3034765&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e958-4850-451b-88eb-d48fc0c7feb7?source=cve

History

Wed, 25 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wpwax Wpwax directorist
CPEs		cpe:2.3:a:wpwax:directorist::::::wordpress::*
Vendors & Products		Wpwax Wpwax directorist
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-02-20T18:56:39.030Z

Updated: 2024-08-08T18:50:04.943Z

Reserved: 2024-02-07T17:38:16.482Z

Link: CVE-2024-1322

Vulnrichment

Updated: 2024-08-01T18:33:25.393Z

NVD

Status : Awaiting Analysis

Published: 2024-02-29T01:43:47.613

Modified: 2024-11-21T08:50:19.883

Link: CVE-2024-1322

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1322", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-02-07T17:38:16.482Z", "datePublished": "2024-02-20T18:56:39.030Z", "dateUpdated": "2024-08-08T18:50:04.943Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-02-20T18:56:39.030Z"}, "affected": [{"vendor": "wpwax", "product": "Directorist \u2013 WordPress Business Directory Plugin with Classified Ads Listings", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "7.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Directorist \u2013 WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 7.8.4. This makes it possible for unauthenticated attackers to recreate default pages and enable or disable monetization and change map provider."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e958-4850-451b-88eb-d48fc0c7feb7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/directorist/tags/7.8.4/includes/classes/class-setup-wizard.php#L300"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fdirectorist%2Ftags%2F7.8.4&old=3034765&new_path=%2Fdirectorist%2Ftags%2F7.8.5&new=3034765&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-02-12T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:25.393Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e958-4850-451b-88eb-d48fc0c7feb7?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/directorist/tags/7.8.4/includes/classes/class-setup-wizard.php#L300", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fdirectorist%2Ftags%2F7.8.4&old=3034765&new_path=%2Fdirectorist%2Ftags%2F7.8.5&new=3034765&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "wpwax", "product": "directorist", "cpes": ["cpe:2.3:a:wpwax:directorist:*:*:*:*:*:wordpress:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "7.8.5", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-08T18:49:05.612519Z", "id": "CVE-2024-1322", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T18:50:04.943Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e958-4850-451b-88eb-d48fc0c7feb7?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/directorist/tags/7.8.4/includes/classes/class-setup-wizard.php#L300", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fdirectorist%2Ftags%2F7.8.4&old=3034765&new_path=%2Fdirectorist%2Ftags%2F7.8.5&new=3034765&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:25.393Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1322", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-08T18:49:05.612519Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wpwax:directorist:*:*:*:*:*:wordpress:*:*"], "vendor": "wpwax", "product": "directorist", "versions": [{"status": "affected", "version": "0", "lessThan": "7.8.5", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T18:49:56.067Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpwax", "product": "Directorist \u2013 WordPress Business Directory Plugin with Classified Ads Listings", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.8.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-02-12T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e958-4850-451b-88eb-d48fc0c7feb7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/directorist/tags/7.8.4/includes/classes/class-setup-wizard.php#L300"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fdirectorist%2Ftags%2F7.8.4&old=3034765&new_path=%2Fdirectorist%2Ftags%2F7.8.5&new=3034765&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Directorist \u2013 WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 7.8.4. This makes it possible for unauthenticated attackers to recreate default pages and enable or disable monetization and change map provider."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-02-20T18:56:39.030Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1322", "state": "PUBLISHED", "dateUpdated": "2024-08-08T18:50:04.943Z", "dateReserved": "2024-02-07T17:38:16.482Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-02-20T18:56:39.030Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The Directorist \u2013 WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 7.8.4. This makes it possible for unauthenticated attackers to recreate default pages and enable or disable monetization and change map provider."}, {"lang": "es", "value": "El complemento Directorist \u2013 WordPress Business Directory Plugin with Classified Ads Listings para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'setup_wizard' en todas las versiones hasta la 7.8.4 incluida. Esto hace posible que atacantes no autenticados vuelvan a crear p\u00e1ginas predeterminadas y habiliten o deshabiliten la monetizaci\u00f3n y cambien el proveedor de mapas."}], "id": "CVE-2024-1322", "lastModified": "2024-11-21T08:50:19.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-02-29T01:43:47.613", "references": [{"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/directorist/tags/7.8.4/includes/classes/class-setup-wizard.php#L300"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fdirectorist%2Ftags%2F7.8.4&old=3034765&new_path=%2Fdirectorist%2Ftags%2F7.8.5&new=3034765&sfp_email=&sfph_mail="}, {"source": "[email protected]", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e958-4850-451b-88eb-d48fc0c7feb7?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/directorist/tags/7.8.4/includes/classes/class-setup-wizard.php#L300"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fdirectorist%2Ftags%2F7.8.4&old=3034765&new_path=%2Fdirectorist%2Ftags%2F7.8.5&new=3034765&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e958-4850-451b-88eb-d48fc0c7feb7?source=cve"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis"}