Geodirectory
Monthly
Unauthenticated SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.152) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36951; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. Given the WordPress plugin ecosystem's history of rapid weaponization for SQLi flaws, this should be treated as a priority despite the absence of confirmed in-the-wild activity.
Missing authorization in the GeoDirectory WordPress plugin (through v2.8.157) permits unauthenticated remote attackers to invoke privileged plugin operations without any credential requirement, resulting in partial integrity and availability impact on directory listings. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, network-accessible exploitation requiring no user interaction, reported by Patchstack under the 'Authentication Bypass' tag. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a moderate-priority patch tier for any WordPress deployment running a public-facing GeoDirectory instance.
The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Unauthenticated SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.152) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36951; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. Given the WordPress plugin ecosystem's history of rapid weaponization for SQLi flaws, this should be treated as a priority despite the absence of confirmed in-the-wild activity.
Missing authorization in the GeoDirectory WordPress plugin (through v2.8.157) permits unauthenticated remote attackers to invoke privileged plugin operations without any credential requirement, resulting in partial integrity and availability impact on directory listings. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, network-accessible exploitation requiring no user interaction, reported by Patchstack under the 'Authentication Bypass' tag. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a moderate-priority patch tier for any WordPress deployment running a public-facing GeoDirectory instance.
The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.