Skip to main content

Business Directory EUVDEUVD-2026-40110

| CVE-2026-57339 MEDIUM
Missing Authorization (CWE-862)
2026-06-29 Patchstack GHSA-m542-2fpm-5vj8
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable, no authentication per PR:N, no complexity barriers; impact capped at limited integrity and availability with no confidentiality loss per description; unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 29, 2026 - 15:23 vuln.today
CVSS changed
Jun 29, 2026 - 15:22 NVD
6.6 (MEDIUM) 6.5 (MEDIUM)

DescriptionCVE.org

Unauthenticated Broken Access Control in Business Directory <= 6.4.23 versions.

AnalysisAI

Broken Access Control in the Business Directory WordPress plugin (versions 6.4.23 and below) permits unauthenticated remote attackers to perform unauthorized operations against directory data, yielding limited integrity and availability impacts. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms exploitation requires no authentication, no special configuration, and no user interaction, making the attack trivially accessible to any network-reachable actor. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with Business Directory plugin active
Exploit
Send unauthenticated HTTP request to unprotected plugin endpoint
Execution
Bypass absent authorization check
Impact
Modify or disrupt directory listing data

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default installations of the Business Directory WordPress plugin version 6.4.23 and below. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.6 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L presents a mixed picture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with no account on the target WordPress site sends a crafted HTTP POST or GET request directly to an unprotected endpoint exposed by the Business Directory plugin - such as an admin-ajax.php action or a REST route - that lacks authorization checks. The server processes the request as though it were authorized, allowing the attacker to create, modify, or delete directory listings, or trigger actions that degrade availability of the directory feature. …
Remediation Update the Business Directory plugin to a version beyond 6.4.23 by visiting the WordPress admin dashboard under Plugins > Updates or by referencing the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/business-directory-plugin/vulnerability/wordpress-business-directory-plugin-6-4-23-broken-access-control-vulnerability for the confirmed patched release version, which was not explicitly stated in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy