Skip to main content

Directorist CVE-2026-39509

| EUVDEUVD-2026-20176 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-rjr9-fgqp-jmc9
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20176
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10.

AnalysisAI

Broken access control in wpWax Directorist WordPress plugin versions up to 8.5.10 allows unauthenticated remote attackers to modify data through incorrectly configured authorization checks. The vulnerability exploits missing permission validation on plugin functionality, enabling unauthorized state changes without authentication or user interaction. With EPSS at 0.02% and no public exploit code identified, real-world risk remains low despite network-accessible exploitation.

Technical ContextAI

Directorist is a WordPress directory plugin developed by wpWax that manages business listings, classifications, and user profiles. The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the plugin fails to verify that a user has permission to perform requested actions before executing them. This likely occurs in WordPress REST API endpoints or form handlers that lack proper capability checks (such as current_user_can() verification or nonce validation), allowing the plugin to process state-modifying requests from unauthenticated sources. The affected CPE cpe:2.3:a:wpwax:directorist:*:*:*:*:*:*:*:* indicates all versions through 8.5.10 are impacted.

RemediationAI

Update the Directorist plugin to a patched version released after 8.5.10; check the official wpWax GitHub repository or WordPress.org plugin page for the latest available release. As a temporary mitigation, administrators can restrict direct access to plugin endpoints via Web Application Firewall (WAF) rules or limit REST API exposure until patching is completed. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-8-5-10-broken-access-control-vulnerability?_s_id=cve) for detailed patching instructions and follow wpWax's official security notices for confirmation of fixed versions.

CVE-2021-24981 HIGH POC
7.5 Dec 21

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leadi

CVE-2022-3961 MEDIUM POC
6.5 Dec 19

The Directorist WordPress plugin before 7.4.4 does not prevent users with low privileges (like subscribers) from accessi

CVE-2022-3930 MEDIUM POC
6.5 Dec 12

The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to chan

CVE-2026-59518 CRITICAL
9.8 Jul 13

PHP Object Injection in the wpWax Directorist WordPress plugin (all versions through 8.8.2) lets remote attackers pass u

CVE-2022-2376 MEDIUM POC
5.3 Sep 05

The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to bo

CVE-2022-2046 MEDIUM POC
4.9 Aug 08

The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor direc

CVE-2023-1888 HIGH
8.8 Jun 09

The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including,

CVE-2022-2377 MEDIUM POC
4.3 Aug 22

The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing an

CVE-2025-1570 HIGH
8.1 Feb 28

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to

CVE-2023-1889 MEDIUM
6.5 Jun 09

The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and includi

CVE-2024-1322 MEDIUM
5.3 Feb 29

The Directorist - WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to

CVE-2024-12041 MEDIUM
5.3 Feb 01

The Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vul

Share

CVE-2026-39509 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy