CVE-2026-42671

Vulnerability

The GeoDirectory WordPress plugin, in versions up to and including 2.8.157, contains a broken access control vulnerability. This flaw stems from a missing authorization check within the plugin's functions, which fails to properly validate the user's permissions before executing sensitive operations [2].

Exploitation

An attacker does not require high-level privileges to exploit this vulnerability. By interacting with the affected plugin functions, an unprivileged user can trigger actions that are intended to be restricted to higher-privileged users. The vulnerability is considered moderately dangerous and is susceptible to mass-exploit campaigns targeting WordPress installations [2].

Impact

Successful exploitation of this vulnerability allows an unprivileged user to execute higher-privileged actions within the WordPress environment. This can lead to unauthorized modifications or administrative operations, potentially compromising the integrity and security of the directory website [2].

Mitigation

Users are advised to update the GeoDirectory plugin to version 2.8.158 or later to resolve this issue [2]. If an immediate update is not possible, site administrators should consult with their hosting provider or web developer to implement temporary security measures or firewall rules to block malicious requests [2].