CVE-2026-24549
Description
Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery.This issue affects GeoDirectory: from n/a through <= 2.8.149.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GeoDirectory plugin <=2.8.149 has a CSRF flaw allowing attackers to force privileged users into unwanted actions.
Vulnerability
Overview
The GeoDirectory WordPress plugin, versions 2.8.149 and earlier, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises from insufficient validation of request origins, enabling an attacker to craft malicious requests that appear legitimate to the server.
Exploitation
Details
Exploitation requires user interaction: a privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a specially designed form while authenticated [1]. No additional privileges are not required for the attacker to initiate the attack, but the victim must have higher privileges for the attack to succeed.
Impact
Successful exploitation allows an attacker to force the victim to perform unintended actions under their current authentication, such as changing settings or modifying content [1]. The CVSS v3 score is 4.3 (Medium), indicating a moderate severity with low impact potential.
Mitigation
The vendor has released version 2.8.150 which resolves this vulnerability [1]. Users are strongly advised to update immediately. For those unable to update, they should contact their hosting provider or web developer for assistance [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.8.149
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.