CVE-2026-39534

Vulnerability

The vulnerability is an unauthenticated broken access control issue in the WP Directory Kit plugin for WordPress, affecting versions 1.5.0 and earlier. The plugin fails to properly enforce authorization, authentication, or nonce token checks in certain functions, making privileged actions reachable by unauthenticated users [1].

Exploitation

An attacker can exploit this vulnerability remotely without needing any prior authentication, user interaction, or special network position. By crafting direct requests to the affected endpoints, the attacker can trigger higher-privileged actions that should normally require an authenticated session [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute actions reserved for higher-privileged users, such as administrators. This could lead to unauthorized data modification, deletion, or other administrative-level operations, potentially compromising the entire WordPress site [1].

Mitigation

The vendor has released version 1.5.1, which addresses the vulnerability. Users should update to WP Directory Kit 1.5.1 or later immediately. As an interim measure, Patchstack has issued a mitigation rule to block attacks until the update is applied [1].