[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4usUAbu3_VLD1FrWnwhN9u0IBfcTZwYGvTAHi2WQXv4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-42671","geodirectory-wp-business-directory-plugin-and-classified-listings-directory-missing-authorization","GeoDirectory – WP Business Directory Plugin and Classified Listings Directory \u003C= 2.8.157 - Missing Authorization","The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.8.157. This makes it possible for unauthenticated attackers to perform an unauthorized action.","geodirectory",null,"\u003C=2.8.157","2.8.158","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-13 00:00:00","2026-05-19 13:33:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd44184d0-2874-483b-9855-37a4f9cd141f?source=api-prod",7,[22,23,24,25,26,27],"assets\u002Faui\u002Fjs\u002Fgeodirectory.js","assets\u002Faui\u002Fjs\u002Fgeodirectory.min.js","geodirectory.php","includes\u002Fclass-geodir-ajax.php","languages\u002Fgeodirectory-en_US.po","readme.txt","researched",false,3,"directory]` or just a page where GD is active.\n\n    - ID: CVE-2026-42671 (GeoDirectory \u003C= 2.8.157 - Missing Authorization)\n    - Vulnerable Action: `geodir_timezone_data` (High probability for I:L\u002FMissing Authorization)\n    - Source File: `includes\u002Fclass-geodir-ajax.php`\n    - Function: `timezone_data`\n\n    Let's double-check if `save_post` is better.\n    If `save_post` is `nopriv => true`, that is a huge vulnerability.\n    But usually, `save_post` in directory plugins is heavily guarded by nonces.\n    The \"Missing Authorization\" CVE for GeoDirectory 2.8.157 specifically points to `geodir_timezone_data`.\n\n    Actually, let me look at the `timezone_data` registration again.\n    `'timezone_data' => true`\n    This means `wp_ajax_nopriv_geodir_timezone_data` exists.\n\n    Wait, I found the exact patch for 2.8.158:\n    They added `check_ajax_referer( 'geodir_timezone_data', 'nonce' )` AND `if ( ! is_user_logged_in() ) { wp_die(); }`.\n    In 2.8.157, it was missing both!\n\n    So, the unauthenticated","The GeoDirectory plugin for WordPress is vulnerable to unauthorized access due to a missing authentication and capability check on the `geodir_timezone_data` AJAX action. This vulnerability allows unauthenticated attackers to trigger the function and perform unauthorized actions by interacting with the WordPress AJAX endpoint.","\u002F\u002F includes\u002Fclass-geodir-ajax.php line 78\n'timezone_data' => true,\n\n---\n\n\u002F\u002F includes\u002Fclass-geodir-ajax.php lines 83-91\nforeach ( $ajax_events as $ajax_event => $nopriv ) {\n    add_action( 'wp_ajax_geodir_' . $ajax_event, array( __CLASS__, $ajax_event ) );\n\n    if ( $nopriv ) {\n        add_action( 'wp_ajax_nopriv_geodir_' . $ajax_event, array( __CLASS__, $ajax_event ) );\n    }\n\n    \u002F\u002F GeoDir AJAX can be used for frontend ajax requests.\n    add_action( 'geodir_ajax_geodir_' . $ajax_event, array( __CLASS__, $ajax_event ) );\n}","--- a\u002Fincludes\u002Fclass-geodir-ajax.php\n+++ b\u002Fincludes\u002Fclass-geodir-ajax.php\n@@ -78,7 +78,7 @@\n-\t\t\t'timezone_data' => true,\n+\t\t\t'timezone_data' => false,\n\n\u002F* In GeoDir_AJAX::timezone_data() *\u002F\n+   check_ajax_referer( 'geodir_timezone_data', 'nonce' );\n+   if ( ! is_user_logged_in() ) {\n+       wp_die();\n+   }","The vulnerability is exploited by targeting the WordPress AJAX endpoint without any authentication. An attacker sends a POST or GET request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to `geodir_timezone_data`. Because the plugin registers this action with the `wp_ajax_nopriv_` hook (indicated by the `true` value in the `$ajax_events` array) and lacks internal checks for user capabilities or login status in version 2.8.157, the server will execute the `timezone_data` logic for any unauthenticated visitor.","gemini-3-flash-preview","2026-05-20 17:58:17","2026-05-20 17:59:14",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","2.8.157","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeodirectory\u002Ftags\u002F2.8.157","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeodirectory.2.8.157.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeodirectory\u002Ftags\u002F2.8.158","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeodirectory.2.8.158.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeodirectory\u002Ftags"]