CVE-2026-39512

Vulnerability

An unauthenticated SQL Injection vulnerability exists in the GeoDirectory WordPress plugin versions up to and including 2.8.152. The flaw allows an attacker to inject arbitrary SQL queries without requiring authentication, due to insufficient input sanitization in one or more parameters. The vulnerable versions are all releases prior to 2.8.154 [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to a vulnerable WordPress site running GeoDirectory plugin ≤ 2.8.152. No authentication or special privileges are required. The attack can be performed remotely over the network, and does not require user interaction. The specific parameter used for injection has not been disclosed in the available reference, but the attack vector is expected to be straightforward via HTTP GET or POST parameters [1].

Impact

Successful exploitation allows a malicious actor to directly interact with the database. This includes, but is not limited to, extracting sensitive information (such as user credentials, personal data, site configuration), modifying or deleting data, and potentially escalating to further attacks. The CVSS score of 9.3 (Critical) reflects the severe confidentiality, integrity, and availability impact [1].

Mitigation

The vulnerability has been fixed in version 2.8.154 of the GeoDirectory plugin. Users are advised to update to version 2.8.154 or later immediately. If unable to update, users should restrict access to the vulnerable plugin or apply a virtual patch/web application firewall rule to block SQL injection attempts. Patchstack has issued a mitigation rule for their users. The vulnerability is expected to be widely exploited in mass campaigns [1].