CVE-2024-10584
📋 TL;DR
The DirectoryPress WordPress plugin is vulnerable to stored XSS via SVG file uploads due to insufficient input sanitization. Authenticated attackers with author-level access can inject malicious scripts that execute when users view uploaded SVG files. When DirectoryPress Frontend is installed, unauthenticated users can also exploit this vulnerability.
💻 Affected Systems
- DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress
📦 What is this software?
Directorypress by Designinvento
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers will inject malicious scripts to steal user session cookies, redirect users to phishing pages, or display unwanted content.
If Mitigated
With proper input validation and output escaping, SVG files would be safely handled without script execution.
🎯 Exploit Status
Exploitation requires uploading a malicious SVG file containing JavaScript. When DirectoryPress Frontend is installed, no authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.17
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3205071/directorypress/trunk/includes/directorypress_svg.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find DirectoryPress plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.6.17+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable SVG uploads via .htaccess
linuxPrevent SVG file uploads at the web server level
Add to .htaccess: <FilesMatch "\.svg$">
Order Allow,Deny
Deny from all
</FilesMatch>
Remove upload capability from low-privilege users
allRestrict file upload permissions to administrators only
Use WordPress role management plugins or custom code to remove upload_files capability from author and editor roles
🧯 If You Can't Patch
- Temporarily disable the DirectoryPress plugin until patched
- Implement web application firewall (WAF) rules to block malicious SVG uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → DirectoryPress version. If version is 3.6.16 or lower, you are vulnerable.Check Version:
wp plugin list --name=directorypress --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.6.17 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads, especially with script tags or JavaScript content
- Multiple failed upload attempts with modified SVG files
Network Indicators:
- POST requests to upload endpoints with SVG files containing script tags
- Unusual outbound connections after SVG file access
SIEM Query:
source="web_server" AND (uri_path="/wp-content/uploads/" AND file_extension="svg") AND (content="<script>" OR content="javascript:")