Description
Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.6.6.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows a user to bypass properly configured access control security levels within the WordPress Directorist plugin. Because of this, an attacker who can reach the affected plugin can gain unauthorized access to restricted data or modify content that should be protected. The weakness is identified as CWE-862, which represents missing authorization, and the CVSS score of 7.1 indicates a high severity impact on confidentiality, integrity, and availability.

Affected Systems

The issue affects the wpWax Directorist plugin for WordPress, with vulnerable versions ranging from the earliest releases through version 8.6.6. Any WordPress site that has the Directorist plugin installed on a version at or below 8.6.6 is potentially impacted.

Risk and Exploitability

The CVSS score of 7.1 signals a significant risk, yet the EPSS score of less than 1% indicates that the probability of exploitation observed in the wild is very low at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely exploited yet. Based on the description, the likely attack vector is a web-based access to the plugin’s administrative or restricted areas, requiring the attacker to have network access to the WordPress installation and the ability to submit crafted requests that exploit the missing authorization checks.

Generated by OpenCVE AI on April 27, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Directorist plugin to version 8.6.7 or later, which contains the vendor-supplied fix for the authorization issue.
  • If an immediate update is not possible, remove or restrict any administrative or privileged roles from users who can access the Directorist plugin’s protected endpoints until the patch is applied.
  • Ensure that all role and capability checks for the plugin’s features are enforced by reviewing the plugin’s core code or by implementing a plugin or theme that validates role permissions before rendering sensitive content.

Generated by OpenCVE AI on April 27, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10. Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.6.6.
Title WordPress Directorist plugin <= 8.5.10 - Broken Access Control vulnerability WordPress Directorist plugin <= 8.6.6 - Broken Access Control vulnerability

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpwax
Wpwax directorist
Vendors & Products Wordpress
Wordpress wordpress
Wpwax
Wpwax directorist

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10.
Title WordPress Directorist plugin <= 8.5.10 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpwax Directorist
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:28.215Z

Reserved: 2025-12-15T10:01:24.070Z

Link: CVE-2025-68069

cve-icon Vulnrichment

Updated: 2026-02-24T21:46:53.887Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:09.380

Modified: 2026-04-27T19:16:24.677

Link: CVE-2025-68069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:45:12Z

Weaknesses