cleantalk
Vulnerabilities and Security Researches

DirectoryPress – Business Directory And Classified Ad Listing, CVE-2024-10584

CVE, Research URL

CVE-2024-10584

Home page URL

Security reports for DirectoryPress – Business Directory And Classified Ad Listing

Application

DirectoryPress – Business Directory And Classified Ad Listing

Published on
Dec 24, 2024
Research Description
The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.6.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. When DirectoryPress Frontend is installed, this can be exploited by unauthenticated users.
Affected versions
Min -, max 3.6.17.
Status
vulnerable
Previous vulnerability researches
DirectoryPress Frontend (CVE-2024-10581) , Feb 16, 2025
DirectoryPress – Business Directory And Classified Ad Listing (CVE-2024-49633) , Jan 09, 2025
DirectoryPress – Business Directory And Classified Ad Listing (CVE-2023-37967) , Jun 10, 2024
DirectoryPress – Business Directory And Classified Ad Listing (CVE-2024-10584) , Dec 25, 2024
DirectoryPress – Business Directory And Classified Ad Listing (CVE-2024-38755) , Jul 15, 2024
New vulnerability
GB Gallery Slideshow (CVE-2025-32649) , Apr 18, 2025
Question Answer (CVE-2025-32646) , Apr 18, 2025
PropertyHive (CVE-2025-39577) , Apr 18, 2025
WP-BusinessDirectory – Business directory plugin for WordPress (CVE-2025-32630) , Apr 18, 2025
WordPress WP-Advanced-Search (CVE-2025-39538) , Apr 18, 2025