What is the CVSS score of EUVD-2026-36951?

EUVD-2026-36951 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. EPSS exploitation probability: 0.3%.

Which versions of GeoDirectory are affected by EUVD-2026-36951?

GeoDirectory, a WordPress plugin used on thousands of websites, contains an unauthenticated SQL injection flaw (CVE-2026-39512, CVSS 9.3) affecting all installations on versions 2.8.152 and earlier.

How to fix or mitigate EUVD-2026-36951?

Within 24 hours: Inventory all WordPress sites running GeoDirectory and confirm installed versions. Within 7 days: Deactivate and remove GeoDirectory versions ≤2.8.152 from production, or implement WAF rules and database access restrictions if the plugin is operationally critical. Within 30 days: Monitor EUVD-2026-36951 for patched versions; redeploy only after vendor releases version >2.8.152 and your team validates the fix.

GeoDirectory EUVD-2026-36951

| CVE-2026-39512 CRITICAL

SQL Injection (CWE-89)

2026-06-15 Patchstack

GHSA-5cfj-2j7j-f96c

SQLi Geodirectory

9.3

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

vuln.today AI

9.9 CRITICAL

Unauthenticated network-reachable SQLi gives PR:N/AV:N/AC:L; scope-change retained as DB spans components; raised I:N→I:L since SQLi typically allows some write/manipulation.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 22:23 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions.

AnalysisAI

Unauthenticated SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.152) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36951; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running GeoDirectory ≤2.8.152

Delivery

Send crafted HTTP request to vulnerable endpoint

Exploit

Inject SQL via unsanitized parameter

Execution

Exfiltrate wp_users hashes and secrets

Persist

Crack or replay admin session

Impact

Full site compromise via plugin editor

Access

Identify WordPress site running GeoDirectory ≤2.8.152

Delivery

Send crafted HTTP request to vulnerable endpoint

Exploit

Inject SQL via unsanitized parameter

Execution

Exfiltrate wp_users hashes and secrets

Persist

Crack or replay admin session

Impact

Full site compromise via plugin editor

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of the GeoDirectory WordPress plugin at versions ≤2.8.152 (CVSS AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Risk is high in aggregate: CVSS 9.3 reflects AV:N/AC:L/PR:N/UI:N (remote, low complexity, no auth, no user interaction) with a Scope change (S:C) indicating the injection can read data beyond the vulnerable component's privilege boundary, and impact metrics show C:H (full database confidentiality compromise - credentials hashes, user PII, session tokens), I:N (no direct integrity impact claimed), and A:L (limited availability impact from heavy queries or locks). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker scans WordPress sites for the GeoDirectory plugin (fingerprintable via /wp-content/plugins/geodirectory/ asset paths), then sends a crafted HTTP request to a vulnerable directory search or listing endpoint with malicious SQL injected into a query parameter, executing a UNION-based extraction of wp_users credentials and session tokens. The attacker then cracks or replays an administrator session to pivot into full WordPress site takeover via the plugin/theme editor or PHP file upload. …
Remediation	Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data, so administrators should upgrade GeoDirectory to the latest version above 2.8.152 published on wordpress.org or via the plugin's update channel and verify the installed version after upgrade. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress sites running GeoDirectory and confirm installed versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-36951 vulnerability details – vuln.today

Back

GeoDirectory EUVD-2026-36951

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code