{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-13887", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-18T20:02:23.830Z", "datePublished": "2025-03-13T03:21:01.466Z", "dateUpdated": "2025-03-14T13:52:54.421Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-13T03:21:01.466Z"}, "affected": [{"vendor": "strategy11team", "product": "Business Directory Plugin \u2013 Easy Listing Directories for WordPress", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "6.4.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Business Directory Plugin \u2013 Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajax_listing_submit_image_upload' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to add arbitrary images to listings."}], "title": "Business Directory Plugin - Easy Listing Directories for WordPress <= 6.4.14 - Insecure Direct Object Reference to Listing Arbitrary Image Addition", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06c3de6d-92e7-46f8-86a9-37f027767fc0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3249927/business-directory-plugin/trunk/includes/class-wpbdp.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rein Daelman"}], "timeline": [{"time": "2025-02-18T00:00:00.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-03-12T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-14T13:52:48.076105Z", "id": "CVE-2024-13887", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T13:52:54.421Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-13887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-14T13:52:48.076105Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T13:52:51.579Z"}}], "cna": {"title": "Business Directory Plugin - Easy Listing Directories for WordPress <= 6.4.14 - Insecure Direct Object Reference to Listing Arbitrary Image Addition", "credits": [{"lang": "en", "type": "finder", "value": "Rein Daelman"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "strategy11team", "product": "Business Directory Plugin \u2013 Easy Listing Directories for WordPress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "6.4.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-18T00:00:00.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-03-12T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06c3de6d-92e7-46f8-86a9-37f027767fc0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3249927/business-directory-plugin/trunk/includes/class-wpbdp.php"}], "descriptions": [{"lang": "en", "value": "The Business Directory Plugin \u2013 Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajax_listing_submit_image_upload' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to add arbitrary images to listings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-13T03:21:01.466Z"}}}, "cveMetadata": {"cveId": "CVE-2024-13887", "state": "PUBLISHED", "dateUpdated": "2025-03-14T13:52:54.421Z", "dateReserved": "2025-02-18T20:02:23.830Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-13T03:21:01.466Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Business Directory Plugin \u2013 Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajax_listing_submit_image_upload' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to add arbitrary images to listings."}], "id": "CVE-2024-13887", "lastModified": "2025-03-13T04:15:18.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-03-13T04:15:18.680", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3249927/business-directory-plugin/trunk/includes/class-wpbdp.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06c3de6d-92e7-46f8-86a9-37f027767fc0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}