CVSS: 7.5EPSS: 9%CPEs: 1EXPL: 1CVE-2022-2376 – Directorist < 7.3.1 - Unauthenticated Email Address Disclosure
https://notcve.org/view.php?id=CVE-2022-2376
10 Aug 2022 — The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users El plugin Directorist de WordPress versiones anteriores a 7.3.1, divulga la dirección de correo electrónico de todos los usuarios en una acción AJAX disponible tanto para usuarios no autenticados como para cualquier usuario autenticado The plugin Directorist for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and includin... • https://wpscan.com/vulnerability/437c4330-376a-4392-86c6-c4c7ed9583ad • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2377 – Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending
https://notcve.org/view.php?id=CVE-2022-2377
26 Jul 2022 — The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog El plugin Directorist de WordPress versiones anteriores a 7.3.0, carece de comprobaciones de autorización y de tipo CSRF en una acción AJAX, lo que permite a cualquier usuario autenticado enviar correos electrónicos arbitrarios en nombre del blog The Directorist – WordPress Business Directory Plugin with Classified Ads Li... • https://wpscan.com/vulnerability/f4e606e9-0664-42fb-a59b-21de306eb530 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2046 – Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-2046
18 Jul 2022 — The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations. El plugin Directorist de WordPress versiones anteriores a 7.2.3, permite a administradores descargar otros plugins del mismo proveedor directamente en el sitio, pero no comprueba el dominio de la URL de la ... • https://plugins.trac.wordpress.org/changeset/2752034/directorist?contextall=1&old=2731298&old_path=%2Fdirectorist • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24981 – Directorist – Business Directory Plugin < 7.0.6.2 - CSRF to Remote File Upload
https://notcve.org/view.php?id=CVE-2021-24981
16 Nov 2021 — The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory. El plugin Directorist de WordPress versiones anteriores a 7.0.6.2, era vulnerable a un ataque de tipo Cross-Site Request Forgery a la Carga Remota de Archivos, conllevando a cargas arbitrarias del shell de PHP en el directorio wp-content/plugins • https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-owners.html • CWE-352: Cross-Site Request Forgery (CSRF) CWE-434: Unrestricted Upload of File with Dangerous Type •