CVE-2024-3552

CVE-2024-3552 affects the Web Directory Free WordPress plugin prior to 1.7.0. An unauthenticated AJAX action uses an unsanitised parameter in a SQL statement, enabling SQL injection via UNION, time-based, and error-based techniques, potentially compromising the database. The nuclei template confi...

CVE-2024-3673

CVE-2024-3673 affects the Web Directory Free WordPress plugin (versions before 1.7.3). The root cause is failure to validate a parameter before using it in an include(), enabling Local File Inclusion. Unauthenticated attackers can read sensitive files (e.g., /etc/passwd). CVSSv3.1 base score 9.1 ...

CVE-2024-3669

CVE-2024-3669 affects the Web Directory Free WordPress plugin prior to 1.7.2. The vulnerability arises because a parameter is not sanitised/escaped before being output on the page, causing a reflected XSS that could be leveraged against admin users. The issue is confirmed in multiple sources and ...

CVE-2023-2201

CVE-2023-2201 affects Web Directory Free for WordPress (plugin) up to version 1.6.7. Root cause: insufficient escaping and lack of prepared SQL in the post_id parameter, enabling an authenticated contributor to inject additional SQL into existing queries and potentially exfiltrate data. Public de...