Skip to main content

Directorypress EUVDEUVD-2026-20213

| CVE-2026-39566 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-04-08 Patchstack GHSA-qg69-99hf-gx2w
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 10:22 NVD
4.0 (MEDIUM) 4.3 (MEDIUM)
Analysis Generated
Apr 14, 2026 - 18:22 vuln.today
CVSS changed
Apr 14, 2026 - 18:22 NVD
4.0 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20213
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Designinvento DirectoryPress directorypress allows Retrieve Embedded Sensitive Data.This issue affects DirectoryPress: from n/a through <= 3.6.26.

AnalysisAI

DirectoryPress WordPress plugin versions 3.6.26 and earlier expose sensitive system information through an information disclosure vulnerability that allows unauthenticated remote attackers to retrieve embedded sensitive data with high attack complexity. The vulnerability has a CVSS score of 4.0 with low confidentiality impact and affects the scope beyond the vulnerable component. No public exploit code or active exploitation has been identified at the time of analysis, though the EPSS score of 0.02% suggests minimal real-world exploitation likelihood.

Technical ContextAI

This vulnerability is classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), a common weakness in web applications where sensitive data becomes accessible outside its intended protective boundary. In the context of DirectoryPress, a WordPress directory plugin, the vulnerability likely stems from improper access controls or data filtering mechanisms that expose system or configuration information through an API endpoint, page parameter, or embedded data structure accessible without authentication. The attack requires high complexity (AC:H) despite network accessibility, suggesting the vulnerability may require specific conditions, unusual request formats, or timing to exploit. The confidentiality impact is limited (C:L) and does not affect integrity or availability, indicating the exposure is read-only and restricted in scope.

RemediationAI

Users should update DirectoryPress to a version newer than 3.6.26 as soon as a patched release becomes available from Designinvento. Monitor the Patchstack vulnerability database and the official DirectoryPress plugin repository for patch availability announcements. As an interim measure, restrict access to the DirectoryPress plugin through Web Application Firewall rules or network controls if the exposed endpoint or parameter can be identified. Disable the plugin entirely if it is non-critical to operations until a patch is available. Audit any systems running DirectoryPress to determine if sensitive information has been exposed through this vector.

Share

EUVD-2026-20213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy