Medium severity4.3OSV Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-12833

Description

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.

Affected products

Ayecode/GeodirectoryOSV
Range: 1.3.8, 1.5.7, 1.5.8, …

Patches

db655b04be32

https://github.com/ayecode/geodirectoryvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92nvd
plugins.trac.wordpress.org/changesetnvd
wordpress.org/plugins/geodirectory/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24nvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000