High severity8.8NVD Advisory· Published Jun 9, 2023· Updated Apr 8, 2026

CVE-2023-1888

Description

The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset the password of an arbitrary user and gain elevated (e.g., administrator) privileges.

Affected products

Wpwax/Directorist
cpe:2.3:a:wpwax:directorist:*:*:*:*:*:wordpress:*:*
Range: <=7.5.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.wordfence.com/threat-intel/vulnerabilities/id/01943559-e05b-4dca-b322-d880b2729ee7nvdThird Party Advisory
plugins.trac.wordpress.org/changeset/2920100/directoristnvdIssue Tracking
www.wordfence.com/blog/2023/06/critical-security-update-directorist-wordpress-plugin-patches-two-high-risk-vulnerabilities/nvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000