CVE-2021-24981 – The Directorist WordPress plugin before version... (How to Fix)

Q: What is the severity of CVE-2021-24981?

CVE-2021-24981 has a CVSS score of 7.5 (HIGH). The Directorist WordPress plugin before version 7.0.6.2 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to trick authenticated administrators into uploading arbitrary PHP files to the wp-content/plugins directory. This can lead to remote code execution and complete website compromise. All WordPress sites running vulnerable versions of the Directorist plugin are affected.

📋 TL;DR

The Directorist WordPress plugin before version 7.0.6.2 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to trick authenticated administrators into uploading arbitrary PHP files to the wp-content/plugins directory. This can lead to remote code execution and complete website compromise. All WordPress sites running vulnerable versions of the Directorist plugin are affected.

💻 Affected Systems

Products:

Directorist WordPress Plugin

Versions: All versions before 7.0.6.2

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires an authenticated administrator to be tricked into performing an action, but no special configuration needed.

📦 What is this software?

Directorist by Wpwax

View all CVEs affecting Directorist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete website takeover with persistent backdoor installation, data theft, defacement, and use as a platform for further attacks.

🟠

Likely Case

Malicious PHP shell upload leading to website defacement, data exfiltration, or ransomware deployment.

🟢

If Mitigated

Attack fails due to proper CSRF protections, file upload restrictions, or web application firewall blocking.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick an authenticated administrator, but the technical exploit is straightforward once the user is tricked.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.6.2

Vendor Advisory: https://wordpress.org/plugins/directorist/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Directorist plugin. 4. Click 'Update Now' if available, or manually update to version 7.0.6.2 or later.

🔧 Temporary Workarounds

Disable Directorist Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate directorist

Restrict PHP File Uploads

linux

Configure web server to block PHP file uploads to wp-content/plugins directory.

# Add to .htaccess in wp-content/plugins:
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>

🧯 If You Can't Patch

Implement strict CSRF protection headers and tokens across all admin forms.
Deploy a web application firewall (WAF) with rules to block malicious file uploads and CSRF attempts.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Directorist version. If version is below 7.0.6.2, you are vulnerable.

Check Version:

wp plugin get directorist --field=version

Verify Fix Applied:

Verify Directorist plugin version is 7.0.6.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to wp-content/plugins directory
POST requests to Directorist admin endpoints without proper CSRF tokens
PHP file execution from plugins directory

Network Indicators:

HTTP POST requests containing file uploads to Directorist endpoints
Unexpected outbound connections from WordPress server after file upload

SIEM Query:

source="web_server" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "directorist") AND method="POST" AND (file_upload="true" OR content_type="multipart/form-data")

📊 Metadata

CVE ID: CVE-2021-24981

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: December 21, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-owners.html Exploit,Third Party Advisory
https://wpscan.com/vulnerability/4c45df6d-b3f6-49e5-8b1f-edd32a12d71c Exploit,Third Party Advisory
https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-owners.html Exploit,Third Party Advisory
https://wpscan.com/vulnerability/4c45df6d-b3f6-49e5-8b1f-edd32a12d71c Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24981, you might also want to check these: