Skip to main content

Directorist

13 CVEs product

Monthly

CVE-2026-59518 CRITICAL Act Now

PHP Object Injection in the wpWax Directorist WordPress plugin (all versions through 8.8.2) lets remote attackers pass untrusted serialized data into a PHP deserialization sink, instantiating arbitrary objects that can trigger POP gadget chains for code execution, data theft, or site compromise. The flaw carries a critical 9.8 CVSS score with an unauthenticated network vector; it was disclosed by Patchstack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Directorist
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-39509 MEDIUM This Month

Broken access control in wpWax Directorist WordPress plugin versions up to 8.5.10 allows unauthenticated remote attackers to modify data through incorrectly configured authorization checks. The vulnerability exploits missing permission validation on plugin functionality, enabling unauthorized state changes without authentication or user interaction. With EPSS at 0.02% and no public exploit code identified, real-world risk remains low despite network-accessible exploitation.

Authentication Bypass Directorist
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-1570 HIGH This Week

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Privilege Escalation Directorist PHP
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-12041 MEDIUM PATCH This Month

The Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.0.12. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Information Disclosure Directorist
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-1322 MEDIUM PATCH This Month

The Directorist - WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Directorist
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2023-1889 MEDIUM This Month

The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Directorist
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-1888 HIGH This Week

The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP Directorist
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2022-3961 MEDIUM POC This Month

The Directorist WordPress plugin before 7.4.4 does not prevent users with low privileges (like subscribers) from accessing sensitive system information. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Directorist
NVD WPScan
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-3930 MEDIUM POC This Month

The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Directorist
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-2376 MEDIUM POC This Month

The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Directorist
NVD WPScan
CVSS 3.1
5.3
EPSS
1.4%
CVE-2022-2377 MEDIUM POC This Month

The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Directorist
NVD WPScan
CVSS 3.1
4.3
EPSS
0.3%
CVE-2022-2046 MEDIUM POC This Month

The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress File Upload Directorist
NVD WPScan
CVSS 3.1
4.9
EPSS
0.8%
CVE-2021-24981 HIGH POC This Week

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

CSRF WordPress PHP File Upload Directorist
NVD WPScan
CVSS 3.1
7.5
EPSS
0.8%
EPSS 1% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in the wpWax Directorist WordPress plugin (all versions through 8.8.2) lets remote attackers pass untrusted serialized data into a PHP deserialization sink, instantiating arbitrary objects that can trigger POP gadget chains for code execution, data theft, or site compromise. The flaw carries a critical 9.8 CVSS score with an unauthenticated network vector; it was disclosed by Patchstack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Directorist
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Broken access control in wpWax Directorist WordPress plugin versions up to 8.5.10 allows unauthenticated remote attackers to modify data through incorrectly configured authorization checks. The vulnerability exploits missing permission validation on plugin functionality, enabling unauthorized state changes without authentication or user interaction. With EPSS at 0.02% and no public exploit code identified, real-world risk remains low despite network-accessible exploitation.

Authentication Bypass Directorist
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Privilege Escalation Directorist +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.0.12. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Information Disclosure Directorist
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The Directorist - WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Directorist
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Directorist
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP +1
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Directorist WordPress plugin before 7.4.4 does not prevent users with low privileges (like subscribers) from accessing sensitive system information. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Directorist
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Directorist
NVD WPScan
EPSS 1% CVSS 5.3
MEDIUM POC This Month

The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Directorist
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Directorist
NVD WPScan
EPSS 1% CVSS 4.9
MEDIUM POC This Month

The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress File Upload Directorist
NVD WPScan
EPSS 1% CVSS 7.5
HIGH POC This Week

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

CSRF WordPress PHP +2
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy