Skip to main content

WP Directory Kit CVE-2026-39534

| EUVDEUVD-2026-36963 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-v63q-fwcp-fph6
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Network-reachable WordPress plugin endpoint with missing authorization (PR:N, AC:L, UI:N); description limits impact to broken access control, so C:H but I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:18 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in WP Directory Kit <= 1.5.0 versions.

AnalysisAI

Unauthenticated broken access control in the WP Directory Kit WordPress plugin (versions ≤ 1.5.0) allows remote attackers to bypass authorization checks on plugin endpoints and access functionality or data that should require authentication. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36963; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

WP Directory Kit is a WordPress plugin used to build directory-style listing sites (members, businesses, locations). The CPE cpe:2.3:a:wp_directory_kit:wp_directory_kit:*:*:*:*:*:*:*:* covers all plugin versions up to 1.5.0. The root-cause class is CWE-862 (Missing Authorization), meaning one or more plugin AJAX actions, REST endpoints, or admin-post handlers fail to verify the caller’s capability (e.g. missing current_user_can()) or nonce, so requests proceed regardless of the requester’s identity. In WordPress plugins this pattern typically arises when handlers are registered on the no-priv AJAX hook or on unauthenticated REST routes without a permission_callback.

RemediationAI

Upstream fix available per the Patchstack advisory, but no specific vendor-released patched version is cited in the supplied data - released patched version not independently confirmed; administrators should upgrade WP Directory Kit to the latest available release newer than 1.5.0 from the WordPress.org plugin repository and confirm the installed version is above 1.5.0 after update. Until the upgrade is applied, restrict access to the WordPress site (IP allow-listing wp-admin/admin-ajax.php and the plugin's REST namespace at the WAF or reverse proxy) and consider temporarily deactivating the WP Directory Kit plugin - note that deactivation will break directory pages and any shortcodes the plugin renders, and IP restrictions on admin-ajax.php can disrupt legitimate front-end AJAX features of other plugins. Monitor the Patchstack advisory URL above for the fixed version number and apply it as soon as published.

CVE-2024-3217 HIGH
8.8 Apr 05

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' and 'attribute_id' pa

CVE-2025-13390 CRITICAL POC
10.0 Dec 03

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1

CVE-2023-2278 CRITICAL POC
9.8 Jun 13

The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9

CVE-2023-2351 MEDIUM POC
6.5 Jun 13

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a m

CVE-2023-2835 MEDIUM POC
6.1 Jun 02

The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in

CVE-2023-2277 MEDIUM POC
6.1 Jun 13

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,

CVE-2026-42672 CRITICAL
9.3 Jun 01

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.1) allows remote unauthen

CVE-2026-39531 CRITICAL
9.3 May 21

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.0) allows remote unauthen

CVE-2024-29774 HIGH
7.1 Mar 27

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpDirectoryKit WP

CVE-2023-2280 MEDIUM
6.5 Jun 09

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a m

CVE-2024-37487 MEDIUM
6.1 Jul 21

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpdirectory

CVE-2023-2279 MEDIUM
5.4 Aug 31

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,

Share

CVE-2026-39534 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy