CVE-2022-3961: 
WordPress vulnerability analysis and mitigation

The Directorist WordPress plugin versions before 7.4.4 contained a sensitive information disclosure vulnerability, identified as CVE-2022-3961. The vulnerability was discovered and publicly disclosed on November 28, 2022. This security issue affects the Directorist plugin, a WordPress directory listing solution (WPScan).

The vulnerability stems from improper access control where the plugin fails to prevent users with low privileges (such as subscribers) from accessing sensitive system information. The vulnerability has been assigned a CVSS score of 4.3 (medium severity) and is classified under CWE-862 (Missing Authorization) and OWASP Top 10 category A5: Broken Access Control (WPScan).

When exploited, this vulnerability allows authenticated users with low-level privileges (subscriber and above) to access sensitive system information that should typically be restricted to administrators. This unauthorized access to system information could potentially expose configuration details and other sensitive data about the WordPress installation (WPScan).

The vulnerability has been patched in Directorist version 7.4.4. Users are advised to update to this version or later to mitigate the security risk. No alternative workarounds have been published (WPScan).