CVE-2026-42671

GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.157 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.8.158
Patched in
7d
Time to patch

Description

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.8.157. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.8.157
PublishedMay 13, 2026
Last updatedMay 19, 2026
Affected plugingeodirectory

What Changed in the Fix

Changes introduced in v2.8.158

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

directory]` or just a page where GD is active. - ID: CVE-2026-42671 (GeoDirectory <= 2.8.157 - Missing Authorization) - Vulnerable Action: `geodir_timezone_data` (High probability for I:L/Missing Authorization) - Source File: `includes/class-geodir-ajax.php` - Function: `timezone_da…

Show full research plan

directory]` or just a page where GD is active.

- ID: CVE-2026-42671 (GeoDirectory <= 2.8.157 - Missing Authorization)
- Vulnerable Action: `geodir_timezone_data` (High probability for I:L/Missing Authorization)
- Source File: `includes/class-geodir-ajax.php`
- Function: `timezone_data`

Let's double-check if `save_post` is better.
If `save_post` is `nopriv => true`, that is a huge vulnerability.
But usually, `save_post` in directory plugins is heavily guarded by nonces.
The "Missing Authorization" CVE for GeoDirectory 2.8.157 specifically points to `geodir_timezone_data`.

Actually, let me look at the `timezone_data` registration again.
`'timezone_data' => true`
This means `wp_ajax_nopriv_geodir_timezone_data` exists.

Wait, I found the exact patch for 2.8.158:
They added `check_ajax_referer( 'geodir_timezone_data', 'nonce' )` AND `if ( ! is_user_logged_in() ) { wp_die(); }`.
In 2.8.157, it was missing both!

So, the unauthenticated
Research Findings
Static analysis — not yet PoC-verified

Summary

The GeoDirectory plugin for WordPress is vulnerable to unauthorized access due to a missing authentication and capability check on the `geodir_timezone_data` AJAX action. This vulnerability allows unauthenticated attackers to trigger the function and perform unauthorized actions by interacting with the WordPress AJAX endpoint.

Vulnerable Code

// includes/class-geodir-ajax.php line 78
'timezone_data' => true,

---

// includes/class-geodir-ajax.php lines 83-91
foreach ( $ajax_events as $ajax_event => $nopriv ) {
    add_action( 'wp_ajax_geodir_' . $ajax_event, array( __CLASS__, $ajax_event ) );

    if ( $nopriv ) {
        add_action( 'wp_ajax_nopriv_geodir_' . $ajax_event, array( __CLASS__, $ajax_event ) );
    }

    // GeoDir AJAX can be used for frontend ajax requests.
    add_action( 'geodir_ajax_geodir_' . $ajax_event, array( __CLASS__, $ajax_event ) );
}

Security Fix

--- a/includes/class-geodir-ajax.php
+++ b/includes/class-geodir-ajax.php
@@ -78,7 +78,7 @@
-			'timezone_data' => true,
+			'timezone_data' => false,

/* In GeoDir_AJAX::timezone_data() */
+   check_ajax_referer( 'geodir_timezone_data', 'nonce' );
+   if ( ! is_user_logged_in() ) {
+       wp_die();
+   }

Exploit Outline

The vulnerability is exploited by targeting the WordPress AJAX endpoint without any authentication. An attacker sends a POST or GET request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `geodir_timezone_data`. Because the plugin registers this action with the `wp_ajax_nopriv_` hook (indicated by the `true` value in the `$ajax_events` array) and lacks internal checks for user capabilities or login status in version 2.8.157, the server will execute the `timezone_data` logic for any unauthenticated visitor.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.