CVE-2024-13541 is a security vulnerability identified in the aDirectory – WordPress Directory Listing Plugin, which is widely used to manage directory listings on WordPress websites. The root cause is a missing authorization check (CWE-862) in the adqs_delete_listing() function, which is responsible for deleting listings. This flaw allows any authenticated user with Subscriber-level privileges or higher to delete arbitrary posts, bypassing intended access controls. Since WordPress Subscriber accounts typically have minimal permissions, this vulnerability significantly elevates their ability to modify site content maliciously. The vulnerability affects all versions up to and including 2.3 of the plugin. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based (remote), requires low privileges (authenticated user), no user interaction, and impacts integrity but not confidentiality or availability. No patches or official fixes have been published yet, and no known exploits are reported in the wild. The vulnerability could be exploited by attackers who have gained low-level access to the WordPress site, enabling them to delete posts arbitrarily, potentially disrupting site content and operations. This vulnerability highlights the importance of proper capability checks in plugin functions that modify or delete content.

The primary impact of CVE-2024-13541 is unauthorized modification of website content through deletion of posts, which compromises data integrity. For organizations relying on the aDirectory plugin, this could lead to loss of critical directory listings or other important posts, damaging the website’s reliability and user trust. Although the vulnerability does not expose sensitive data (no confidentiality impact) nor cause denial of service (no availability impact), the ability for low-privileged users to delete content can disrupt business operations, marketing efforts, or customer engagement. Attackers with subscriber-level access could exploit this to sabotage content or cover tracks after further intrusion. The impact is more severe for organizations with multiple users having subscriber or higher roles, especially if user accounts are weakly protected or compromised. Since no known exploits exist yet, the risk is currently moderate but could increase if exploit code is developed. The vulnerability affects WordPress sites globally but is more critical for those heavily dependent on the aDirectory plugin for content management.

1. Immediately restrict Subscriber-level user permissions to the minimum necessary and audit existing user roles to ensure no excessive privileges are granted. 2. Monitor and log deletion activities on WordPress sites using the aDirectory plugin to detect unauthorized deletions promptly. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious requests targeting the adqs_delete_listing() function or related plugin endpoints. 4. Until an official patch is released, consider temporarily disabling or removing the aDirectory plugin if feasible, or replacing it with alternative directory listing plugins with verified secure authorization controls. 5. Enforce strong authentication mechanisms (e.g., MFA) for all WordPress users to reduce the risk of account compromise. 6. Regularly back up website content and database to enable recovery from unauthorized deletions. 7. Keep WordPress core and all plugins updated and subscribe to security advisories for timely patching once a fix is available. 8. Conduct security reviews of custom plugins or third-party plugins to ensure proper capability checks are implemented on sensitive functions.