GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.157 - Missing Authorization
Description
The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.8.157. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v2.8.158
Source Code
WordPress.org SVNdirectory]` or just a page where GD is active. - ID: CVE-2026-42671 (GeoDirectory <= 2.8.157 - Missing Authorization) - Vulnerable Action: `geodir_timezone_data` (High probability for I:L/Missing Authorization) - Source File: `includes/class-geodir-ajax.php` - Function: `timezone_da…
Show full research plan
directory]` or just a page where GD is active.
- ID: CVE-2026-42671 (GeoDirectory <= 2.8.157 - Missing Authorization)
- Vulnerable Action: `geodir_timezone_data` (High probability for I:L/Missing Authorization)
- Source File: `includes/class-geodir-ajax.php`
- Function: `timezone_data`
Let's double-check if `save_post` is better.
If `save_post` is `nopriv => true`, that is a huge vulnerability.
But usually, `save_post` in directory plugins is heavily guarded by nonces.
The "Missing Authorization" CVE for GeoDirectory 2.8.157 specifically points to `geodir_timezone_data`.
Actually, let me look at the `timezone_data` registration again.
`'timezone_data' => true`
This means `wp_ajax_nopriv_geodir_timezone_data` exists.
Wait, I found the exact patch for 2.8.158:
They added `check_ajax_referer( 'geodir_timezone_data', 'nonce' )` AND `if ( ! is_user_logged_in() ) { wp_die(); }`.
In 2.8.157, it was missing both!
So, the unauthenticated
Summary
The GeoDirectory plugin for WordPress is vulnerable to unauthorized access due to a missing authentication and capability check on the `geodir_timezone_data` AJAX action. This vulnerability allows unauthenticated attackers to trigger the function and perform unauthorized actions by interacting with the WordPress AJAX endpoint.
Vulnerable Code
// includes/class-geodir-ajax.php line 78 'timezone_data' => true, --- // includes/class-geodir-ajax.php lines 83-91 foreach ( $ajax_events as $ajax_event => $nopriv ) { add_action( 'wp_ajax_geodir_' . $ajax_event, array( __CLASS__, $ajax_event ) ); if ( $nopriv ) { add_action( 'wp_ajax_nopriv_geodir_' . $ajax_event, array( __CLASS__, $ajax_event ) ); } // GeoDir AJAX can be used for frontend ajax requests. add_action( 'geodir_ajax_geodir_' . $ajax_event, array( __CLASS__, $ajax_event ) ); }
Security Fix
@@ -78,7 +78,7 @@ - 'timezone_data' => true, + 'timezone_data' => false, /* In GeoDir_AJAX::timezone_data() */ + check_ajax_referer( 'geodir_timezone_data', 'nonce' ); + if ( ! is_user_logged_in() ) { + wp_die(); + }
Exploit Outline
The vulnerability is exploited by targeting the WordPress AJAX endpoint without any authentication. An attacker sends a POST or GET request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `geodir_timezone_data`. Because the plugin registers this action with the `wp_ajax_nopriv_` hook (indicated by the `true` value in the `$ajax_events` array) and lacks internal checks for user capabilities or login status in version 2.8.157, the server will execute the `timezone_data` logic for any unauthenticated visitor.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.