Description
The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.
Published: 2025-11-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: arbitrary image attachment via missing authorization
Action: Update Plugin
AI Analysis

Impact

The GeoDirectory WordPress plugin contains an insecure direct object reference in the post_attachment_upload function. This flaw is caused by a missing validation on a user‑controlled key, allowing authenticated users with author-level permissions or greater to upload and attach any image file to any supported element within the plugin. The attack does not provide remote code execution, data exfiltration, or other direct system compromise, but it does enable a user to alter content that is displayed to site visitors.

Affected Systems

WordPress sites that have the GeoDirectory – WP Business Directory Plugin and Classified Listings Directory installed in any version up to and including 2.8.139 are affected. Any site with an author account or higher role that can access the plugin’s upload functionality is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact. An EPSS score of less than 1% suggests a very low but non‑zero probability that this vulnerability will be exploited. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated session with author or higher privileges, and the attack vector is the authenticated user’s ability to submit a file to the upload endpoint.

Generated by OpenCVE AI on April 22, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GeoDirectory plugin to a version newer than 2.8.139, which removes the vulnerable upload functionality.
  • Verify that author and higher roles cannot access the post_attachment_upload function by adjusting role capabilities or disabling the upload feature, thereby addressing the CWE‑639 authorization bypass through user‑controlled key.
  • Audit existing attachments for potential malicious content and ensure no residual upload endpoints remain active.

Generated by OpenCVE AI on April 22, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Paoltaia
Paoltaia geodirectory
Wordpress
Wordpress wordpress
Vendors & Products Paoltaia
Paoltaia geodirectory
Wordpress
Wordpress wordpress

Wed, 12 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.
Title GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Paoltaia Geodirectory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:26.458Z

Reserved: 2025-11-06T19:46:39.817Z

Link: CVE-2025-12833

cve-icon Vulnrichment

Updated: 2025-11-12T18:16:16.378Z

cve-icon NVD

Status : Deferred

Published: 2025-11-12T05:15:41.940

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:00:08Z

Weaknesses