CVE-2026-24549
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-04-01
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| geodirectory | geodirectory | to 2.8.147 (inc) |
| geodirectory | geodirectory | to 2.8.150 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24549 is a Cross Site Request Forgery (CSRF) vulnerability in the WordPress GeoDirectory Plugin up to version 2.8.147. It allows an attacker to trick privileged users into performing unwanted actions while they are authenticated by having them click a malicious link, visit a crafted page, or submit a form. The attacker does not need to be authenticated but requires user interaction and a privileged user to be involved. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions being executed on behalf of privileged users without their consent. Although the severity is low (CVSS 4.3) and exploitation is considered unlikely due to the need for user interaction and privileged user involvement, it could still result in broken access control and potential misuse of the GeoDirectory plugin's features. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Cross Site Request Forgery (CSRF) affecting the GeoDirectory WordPress plugin up to version 2.8.147. Detection involves identifying if the vulnerable plugin version is installed and active. Since it requires user interaction and privileged user involvement, network detection is difficult. There are no specific commands provided to detect exploitation attempts. Checking the plugin version via WordPress admin or using WP-CLI commands like 'wp plugin list' to verify the GeoDirectory plugin version can help identify if the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to privileged user accounts, educating users to avoid clicking suspicious links or visiting untrusted pages, and implementing additional security measures such as Web Application Firewalls (WAF) or security plugins that can help prevent CSRF attacks. Since no official fix or patched version is currently available, monitoring for suspicious activity and limiting user privileges are recommended. [1]