CVE-2026-42671
Missing Authorization in GeoDirectory
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| geodirectory | geodirectory | to 2.8.157 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42671 is a Missing Authorization vulnerability in the WordPress GeoDirectory Plugin, affecting versions up to and including 2.8.157.
This flaw allows unauthenticated users to perform actions that require higher privileges because of missing authorization, authentication, or nonce token checks.
It is classified as a Broken Access Control vulnerability, meaning the plugin incorrectly enforces access control security levels.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the GeoDirectory plugin is a Broken Access Control issue that allows unauthenticated users to perform higher-privileged actions due to missing authorization checks.
Such unauthorized access can lead to improper handling or exposure of sensitive data, which may impact compliance with common standards and regulations like GDPR and HIPAA that require strict access controls to protect personal and health information.
Therefore, this vulnerability could potentially cause non-compliance with these regulations if exploited, as it undermines the security measures required to safeguard sensitive data.
How can this vulnerability impact me? :
This vulnerability can allow attackers who are not logged in to perform privileged actions on affected websites using the GeoDirectory plugin.
Because it is a medium-priority issue with a CVSS score of 6.5, it is moderately dangerous and could be exploited in mass campaigns targeting thousands of websites.
Such exploitation could lead to unauthorized changes or disruptions on your website, potentially affecting its integrity and availability.
Immediate action is recommended, such as updating the plugin to version 2.8.158 or later, or applying mitigation rules to block attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unauthenticated users to perform higher-privileged actions due to missing authorization checks in the GeoDirectory WordPress plugin up to version 2.8.157.
Detection can involve monitoring for unusual or unauthorized access attempts to GeoDirectory plugin endpoints, especially those that normally require authentication.
Since the vulnerability is related to broken access control, network or system administrators can look for HTTP requests to GeoDirectory plugin URLs that perform privileged actions without proper authentication.
Specific commands are not provided in the available resources, but general approaches include reviewing web server logs for suspicious requests and using intrusion detection systems to flag unauthorized access attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended step is to update the GeoDirectory plugin to version 2.8.158 or later, which contains the fix for this vulnerability.
If updating is not possible immediately, users should seek assistance from their hosting provider or web developer to apply temporary mitigations.
Patchstack offers a mitigation rule that can be applied to block attacks targeting this vulnerability until the plugin is updated.