CVE-2021-24178: 
WordPress vulnerability analysis and mitigation

The Business Directory Plugin for WordPress (versions before 5.11.1) was identified with a security vulnerability tracked as CVE-2021-24178. The vulnerability was discovered and publicly disclosed on April 11, 2021. This security issue affected the Easy Listing Directories functionality within WordPress installations using the affected plugin versions (WPScan Details).

The vulnerability was classified as a Cross-Site Request Forgery (CSRF) issue with a CVSS score of 7.1 (High). It is categorized under CWE-352 and aligns with the OWASP Top 10 category A2: Broken Authentication and Session Management. The technical assessment revealed that the vulnerability could lead to Stored Cross-Site Scripting (XSS) issues through form field manipulation (WPScan Details).

The vulnerability allowed attackers to manipulate form fields by adding, editing, or deleting them when targeting a logged-in administrator. This could lead to stored Cross-Site Scripting issues affecting multiple pages including the business directory page, Import/Export page, listing management pages, and various settings pages (WPScan Details).

The vulnerability was addressed in version 5.11.1 of the Business Directory Plugin. The update implemented proper CSRF protections and added appropriate capability checks. However, it's worth noting that some sanitization issues remained after the initial fix, potentially allowing XSS via high-privilege accounts in certain pages (WPScan Details).