Stored Cross-Site Scripting Vulnerability in DirectoryPress Plugin for WordPress
CVE-2024-10584

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Directorypress – Business Directory And Classified Ad Listing
Vendor: CVE Published:; 24 December 2024

Summary

The DirectoryPress – Business Directory and Classified Ad Listing plugin for WordPress is susceptible to a serious stored cross-site scripting issue due to inadequate input sanitization and output escaping when handling SVG file uploads. This vulnerability affects all versions of the plugin up to and including 3.6.16. Authenticated attackers with author-level access or higher can exploit this flaw to inject malicious web scripts into pages that execute when other users interact with the SVG files. Additionally, if DirectoryPress Frontend is utilized, unauthenticated users can also exploit this vulnerability, potentially compromising the security of the affected WordPress sites.

Affected Version(s)

DirectoryPress – Business Directory And Classified Ad Listing * <= 3.6.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3205071/dire...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 24, 2024
Vulnerability Reserved
Oct 31, 2024

Credit

Tieu Pham Trong Nhan