CVE-2022-2377

CVE-2022-2377: Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending

Vendor Unknown

Product Directorist – WordPress Business Directory Plugin with Classified Ads Listings

Weakness CWE-862 · Missing authorization

Published August 22, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog

Key dates

02Disclosure timeline

August 22, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-2377 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-54037 WordPress News Kit Elementor Addons plugin <= 1.3.4 - Broken Access Control Vulnerability CVE-2026-3155 OneSignal – Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id' CVE-2025-39373 WordPress JNews Theme <= 11.6.16 - Broken Access Control Vulnerability CVE-2026-40809 WordPress Metro Magazine theme <= 1.4.1 - Broken Access Control vulnerability CVE-2025-47526 WordPress GS Variation Swatches for WooCommerce plugin <= 3.0.4 - Broken Access Control Vulnerability