Skip to main content

GeoDirectory CVE-2026-42671

| EUVD-2026-33692 MEDIUM
Missing Authorization (CWE-862)
2026-06-01 Patchstack GHSA-w25m-xp58-ggp4
Authentication Bypass Geodirectory
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 17:24 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Paolo GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects GeoDirectory: from n/a through 2.8.157.

AnalysisAI

Missing authorization in the GeoDirectory WordPress plugin (through v2.8.157) permits unauthenticated remote attackers to invoke privileged plugin operations without any credential requirement, resulting in partial integrity and availability impact on directory listings. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, network-accessible exploitation requiring no user interaction, reported by Patchstack under the 'Authentication Bypass' tag. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint target WordPress site for GeoDirectory plugin
Delivery
Identify vulnerable unauthenticated plugin endpoint
Exploit
Send crafted HTTP request without credentials
Execution
Bypass missing authorization check
Persist
Execute unauthorized privileged operation
Impact
Corrupt or disrupt GeoDirectory listing data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No authentication is required - CVSS PR:N and UI:N confirm unauthenticated exploitation against any publicly network-accessible WordPress installation running GeoDirectory through version 2.8.157. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 medium with a fully unauthenticated network vector (AV:N/AC:L/PR:N/UI:N) indicates a straightforward remote exploitation path requiring no special setup. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running GeoDirectory through v2.8.157 via plugin fingerprinting (e.g., checking /wp-content/plugins/geodirectory/ paths) and sends a crafted HTTP POST request directly to the vulnerable plugin endpoint without supplying any authentication token or cookie. The missing authorization check allows the request to proceed, enabling the attacker to modify or delete directory listings, or trigger actions that degrade plugin availability. …
Remediation The primary remediation is to upgrade GeoDirectory beyond version 2.8.157; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-157-broken-access-control-vulnerability for the exact patched release version, as the specific fixed version number was not confirmed in the available source data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-39512 CRITICAL
9.3 Jun 15

Unauthenticated SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.152) allows remote

Share

CVE-2026-42671 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy