Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable WordPress plugin endpoint with missing authorization (PR:N, AC:L, UI:N); description limits impact to broken access control, so C:H but I:N/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in WP Directory Kit <= 1.5.0 versions.
AnalysisAI
Unauthenticated broken access control in the WP Directory Kit WordPress plugin (versions ≤ 1.5.0) allows remote attackers to bypass authorization checks on plugin endpoints and access functionality or data that should require authentication. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36963; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
WP Directory Kit is a WordPress plugin used to build directory-style listing sites (members, businesses, locations). The CPE cpe:2.3:a:wp_directory_kit:wp_directory_kit:*:*:*:*:*:*:*:* covers all plugin versions up to 1.5.0. The root-cause class is CWE-862 (Missing Authorization), meaning one or more plugin AJAX actions, REST endpoints, or admin-post handlers fail to verify the caller’s capability (e.g. missing current_user_can()) or nonce, so requests proceed regardless of the requester’s identity. In WordPress plugins this pattern typically arises when handlers are registered on the no-priv AJAX hook or on unauthenticated REST routes without a permission_callback.
RemediationAI
Upstream fix available per the Patchstack advisory, but no specific vendor-released patched version is cited in the supplied data - released patched version not independently confirmed; administrators should upgrade WP Directory Kit to the latest available release newer than 1.5.0 from the WordPress.org plugin repository and confirm the installed version is above 1.5.0 after update. Until the upgrade is applied, restrict access to the WordPress site (IP allow-listing wp-admin/admin-ajax.php and the plugin's REST namespace at the WAF or reverse proxy) and consider temporarily deactivating the WP Directory Kit plugin - note that deactivation will break directory pages and any shortcodes the plugin renders, and IP restrictions on admin-ajax.php can disrupt legitimate front-end AJAX features of other plugins. Monitor the Patchstack advisory URL above for the fixed version number and apply it as soon as published.
More in Wp Directory Kit
View allThe WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' and 'attribute_id' pa
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1
The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9
The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a m
The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in
The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,
Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.1) allows remote unauthen
Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.0) allows remote unauthen
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpDirectoryKit WP
The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a m
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpdirectory
The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36963
GHSA-v63q-fwcp-fph6