CVE-2021-24248

Name of the Vulnerable Software and Affected Versions Business Directory Plugin versions prior to 5.11.1

Description The issue is related to unrestricted file upload of dangerous types in the Business Directory plugin for WordPress. This could allow a remote attacker to read arbitrary files in the configuration directory. The problem stems from improper checking of imported files, using a blacklist approach to forbid certain extensions, which can be bypassed by importing an archive containing a malicious file, such as a .php4 file, leading to remote code execution.

Recommendations For versions prior to 5.11.1, update to version 5.11.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the file upload functionality to minimize the risk of exploitation. Avoid using the plugin's file import feature until the issue is resolved.