Skip to main content

Directorist EUVDEUVD-2026-43431

| CVE-2026-59518 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-07-13 Patchstack
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Network-reachable unauthenticated object-injection per the disclosed vector; if a gadget chain enables RCE, C/I/A are all High, matching the reported 9.8.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:22 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This issue affects Directorist: from n/a through <= 8.8.2.

AnalysisAI

PHP Object Injection in the wpWax Directorist WordPress plugin (all versions through 8.8.2) lets remote attackers pass untrusted serialized data into a PHP deserialization sink, instantiating arbitrary objects that can trigger POP gadget chains for code execution, data theft, or site compromise. The flaw carries a critical 9.8 CVSS score with an unauthenticated network vector; it was disclosed by Patchstack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach vulnerable Directorist endpoint
Delivery
Submit crafted serialized PHP payload
Exploit
Trigger unserialize object injection
Execution
Drive POP gadget chain via magic methods
Persist
Execute code or write files
Impact
Compromise WordPress site

Vulnerability AssessmentAI

Exploitation Exploitation requires that a Directorist input processing serialized data reaches a PHP deserialization sink AND that a usable POP gadget chain is present in the loaded PHP code (Directorist, WordPress core, or another active plugin) - without such a gadget, object injection yields limited or no impact. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8) describes an unauthenticated, low-complexity remote attack with full confidentiality, integrity, and availability impact - nominally a top-priority issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted serialized PHP payload to a Directorist input that reaches unserialize(), causing the plugin to instantiate a malicious object graph that chains through available magic methods on the target site. If a suitable POP gadget exists in Directorist, WordPress core, or a co-installed plugin, this can escalate to arbitrary file writes or remote code execution, fully compromising the site. …
Remediation No specific vendor-released fix version is included in the provided data; because the flaw affects versions through <= 8.8.2, administrators should upgrade Directorist to the next release above 8.8.2 as soon as the vendor publishes it and consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-8-8-2-php-object-injection-vulnerability) for the exact patched version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all WordPress instances for wpWax Directorist installation and document affected versions; disable and deactivate the plugin immediately in production environments; deploy Web Application Firewall rules to block PHP object injection exploitation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-24981 HIGH POC
7.5 Dec 21

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leadi

CVE-2022-3961 MEDIUM POC
6.5 Dec 19

The Directorist WordPress plugin before 7.4.4 does not prevent users with low privileges (like subscribers) from accessi

CVE-2022-3930 MEDIUM POC
6.5 Dec 12

The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to chan

CVE-2022-2376 MEDIUM POC
5.3 Sep 05

The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to bo

CVE-2022-2046 MEDIUM POC
4.9 Aug 08

The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor direc

CVE-2023-1888 HIGH
8.8 Jun 09

The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including,

CVE-2022-2377 MEDIUM POC
4.3 Aug 22

The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing an

CVE-2025-1570 HIGH
8.1 Feb 28

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to

CVE-2023-1889 MEDIUM
6.5 Jun 09

The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and includi

CVE-2024-1322 MEDIUM
5.3 Feb 29

The Directorist - WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to

CVE-2026-39509 MEDIUM
5.3 Apr 08

Broken access control in wpWax Directorist WordPress plugin versions up to 8.5.10 allows unauthenticated remote attacker

CVE-2024-12041 MEDIUM
5.3 Feb 01

The Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vul

Share

EUVD-2026-43431 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy