Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable unauthenticated object-injection per the disclosed vector; if a gadget chain enables RCE, C/I/A are all High, matching the reported 9.8.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This issue affects Directorist: from n/a through <= 8.8.2.
AnalysisAI
PHP Object Injection in the wpWax Directorist WordPress plugin (all versions through 8.8.2) lets remote attackers pass untrusted serialized data into a PHP deserialization sink, instantiating arbitrary objects that can trigger POP gadget chains for code execution, data theft, or site compromise. The flaw carries a critical 9.8 CVSS score with an unauthenticated network vector; it was disclosed by Patchstack. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a Directorist input processing serialized data reaches a PHP deserialization sink AND that a usable POP gadget chain is present in the loaded PHP code (Directorist, WordPress core, or another active plugin) - without such a gadget, object injection yields limited or no impact. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8) describes an unauthenticated, low-complexity remote attack with full confidentiality, integrity, and availability impact - nominally a top-priority issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a crafted serialized PHP payload to a Directorist input that reaches unserialize(), causing the plugin to instantiate a malicious object graph that chains through available magic methods on the target site. If a suitable POP gadget exists in Directorist, WordPress core, or a co-installed plugin, this can escalate to arbitrary file writes or remote code execution, fully compromising the site. … |
| Remediation | No specific vendor-released fix version is included in the provided data; because the flaw affects versions through <= 8.8.2, administrators should upgrade Directorist to the next release above 8.8.2 as soon as the vendor publishes it and consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-8-8-2-php-object-injection-vulnerability) for the exact patched version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all WordPress instances for wpWax Directorist installation and document affected versions; disable and deactivate the plugin immediately in production environments; deploy Web Application Firewall rules to block PHP object injection exploitation attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Directorist
View allThe Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leadi
The Directorist WordPress plugin before 7.4.4 does not prevent users with low privileges (like subscribers) from accessi
The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to chan
The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to bo
The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor direc
The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including,
The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing an
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to
The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and includi
The Directorist - WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to
Broken access control in wpWax Directorist WordPress plugin versions up to 8.5.10 allows unauthenticated remote attacker
The Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vul
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43431