CVE-2024-34821
📋 TL;DR
This CVE describes a Missing Authorization vulnerability in the Contact List PRO WordPress plugin that allows unauthorized users to perform actions intended only for authenticated administrators. It affects all versions up to 2.9.87 of the Contact List – Easy Business Directory, Staff Directory and Address Book Plugin. WordPress sites using this vulnerable plugin are at risk.
💻 Affected Systems
- Contact List – Easy Business Directory, Staff Directory and Address Book Plugin (Contact List PRO)
📦 What is this software?
Contact List by Contactlistpro
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers could modify contact lists, delete entries, or potentially escalate privileges to gain administrative control of the WordPress site.
Likely Case
Unauthorized users could view, edit, or delete contact information that should be restricted to administrators, leading to data exposure or corruption.
If Mitigated
With proper access controls and authentication checks, only authorized administrators can manage contact lists as intended.
🎯 Exploit Status
The vulnerability is a broken access control issue that likely requires minimal technical skill to exploit once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.88 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/contact-list/wordpress-contact-list-plugin-2-9-87-broken-access-control-vulnerability
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Contact List – Easy Business Directory, Staff Directory and Address Book Plugin'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.9.88+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Contact List PRO plugin until patched
wp plugin deactivate contact-list
Restrict plugin access via .htaccess
linuxAdd access restrictions to plugin directories
# Add to .htaccess in wp-content/plugins/contact-list/
Order Deny,Allow
Deny from all
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block unauthorized access to plugin endpoints
- Restrict network access to WordPress admin interface using IP whitelisting
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Contact List PRO plugin version. If version is 2.9.87 or lower, you are vulnerable.Check Version:
wp plugin get contact-list --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.9.88 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to /wp-admin/admin-ajax.php with contact-list related actions
- Unexpected modifications to contact list database tables
Network Indicators:
- Unusual traffic patterns to contact-list plugin endpoints from unauthenticated sources
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "contact_list") AND user="-"