CVE-2021-24179: 
WordPress vulnerability analysis and mitigation

The Business Directory Plugin for WordPress (versions before 5.11) was identified with CVE-2021-24179, a critical vulnerability discovered in April 2021. The plugin suffered from a Cross-Site Request Forgery (CSRF) vulnerability that allowed attackers to manipulate a logged-in administrator into importing malicious files (WPScan).

The vulnerability stems from missing CSRF protections in the file import functionality. When combined with insufficient file validation, this could lead to Remote Code Execution (RCE). The vulnerability was assigned a CVSS score of 8.3 (High), indicating its serious nature. While CSRF checks and some file validation were added in version 5.11, the implemented blacklist approach for forbidding specific files (such as PHP) remained incomplete, still allowing PHP4 files to be uploaded by users with high privileges (WPScan).

The vulnerability could allow attackers to achieve Remote Code Execution on affected WordPress installations through arbitrary file uploads. By exploiting the CSRF vulnerability, attackers could trick administrators into unknowingly uploading malicious files to the server, potentially leading to complete server compromise (WPScan).

The vulnerability was patched in version 5.11 of the Business Directory Plugin. Users are strongly advised to update to this version or later. The update implemented CSRF checks and file validation, though it should be noted that the initial fix used a blacklist approach that still had some limitations (WPScan).