CVE-2022-3930 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Directorist WordPress plugin versions prior to 7.4.2.2. Directorist is a plugin used to create directory and listing websites on WordPress platforms. The vulnerability allows an attacker with limited privileges (requiring at least some level of authentication) to exploit an Insecure Direct Object Reference (IDOR) flaw. Specifically, the attacker can manipulate user-controlled keys or identifiers to change the password of arbitrary users instead of being restricted to changing only their own password. This bypasses normal authorization checks that should prevent users from modifying other users’ credentials. The vulnerability is remotely exploitable over the network without user interaction, and the attack complexity is low, as it requires only authenticated access but no special privileges beyond that. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the high impact on integrity (unauthorized password changes) but no direct impact on confidentiality or availability. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in November 2022 and publicly disclosed in December 2022. No official patch links are provided in the data, but it is implied that versions 7.4.2.2 and later address the issue. Since Directorist is a WordPress plugin, the vulnerability affects any WordPress site using the affected versions of this plugin, potentially exposing user accounts to takeover or unauthorized password resets by authenticated attackers.

For European organizations, the impact of this vulnerability can be significant depending on the use of the Directorist plugin within their WordPress infrastructure. Organizations running directory or listing websites that rely on Directorist may face unauthorized password changes leading to account takeover, privilege escalation, and potential lateral movement within their web environment. This can compromise the integrity of user accounts, disrupt business operations, and damage reputation. While the vulnerability does not directly expose confidential data or cause denial of service, the ability to change arbitrary user passwords can facilitate further attacks such as phishing, fraud, or unauthorized access to sensitive internal resources if the compromised accounts have elevated privileges. Small and medium enterprises (SMEs) and public sector entities using WordPress for public-facing directories are particularly at risk. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially given the low complexity of exploitation and the widespread use of WordPress in Europe. Organizations in sectors with high reliance on web presence and user account management (e.g., tourism, local government, education) should be vigilant.

1. Immediate upgrade of the Directorist plugin to version 7.4.2.2 or later where the vulnerability is patched. 2. Implement strict access controls and role-based permissions within WordPress to limit which users can change passwords or manage user accounts. 3. Monitor WordPress logs for unusual password change activities, especially those initiated by non-administrative users. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting user password change endpoints. 5. Conduct regular security audits of WordPress plugins and themes to identify outdated or vulnerable components. 6. Educate users and administrators about the risks of privilege escalation and encourage strong, unique passwords and multi-factor authentication (MFA) where possible. 7. If immediate patching is not possible, consider temporarily disabling the password change functionality or restricting it to trusted IP addresses or user roles. 8. Use security plugins that can detect and alert on IDOR or authorization bypass attempts. These steps go beyond generic advice by focusing on plugin-specific patching, monitoring, and access control tailored to the nature of the vulnerability.