CVE-2024-13887

Name of the Vulnerable Software and Affected Versions: The Business Directory Plugin – Easy Listing Directories for WordPress versions prior to 6.4.15

Description: The issue is related to Insecure Direct Object Reference. It affects the ajax listing submit image upload function due to missing validation on a user-controlled key. This allows unauthenticated attackers to add arbitrary images to listings.

Recommendations: For versions prior to 6.4.15, update to version 6.4.15 or later to resolve the issue. As a temporary workaround, consider disabling the ajax listing submit image upload function until a patch is available. Restrict access to the image upload functionality to minimize the risk of exploitation.