Description
Missing Authorization vulnerability in Designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through <= 3.6.25.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via broken access control
Action: Patch plugin
AI Analysis

Impact

The vulnerability is a missing authorization in the Designinvento DirectoryPress plugin, classified as a broken access control issue. Based on the description, it is inferred that an attacker that can reach the plugin’s web interface can exploit incorrectly configured access levels to bypass role checks and retrieve or manipulate protected data. The weakness is specifically identified as CWE‑862, and the CVSS score of 5.3 reflects a moderate potential impact on confidentiality and integrity for affected WordPress sites.

Affected Systems

WordPress installations that have the Designinvento DirectoryPress plugin version 3.6.25 or earlier. The vulnerability applies to all users, regardless of role, that can interact with the plugin’s pages or API endpoints because no authorization is enforced.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is considered moderate, while the EPSS score of less than 1 % indicates a low likelihood of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely leveraged in incidents. Based on the description, it is inferred that attackers would need network access to the WordPress site or the ability to authenticate as a user to send requests to the plugin’s restricted endpoints. It is also inferred that, once the missing authorization check is exploitable, attackers could read or modify plugin data, but would not be able to remotely execute code or gain full system control.

Generated by OpenCVE AI on April 17, 2026 at 18:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the DirectoryPress plugin to the latest version, which includes the missing authorization fix.
  • If an update cannot be applied immediately, uninstall or deactivate the plugin to eliminate the exposed access paths.
  • Audit and tighten WordPress role capabilities to ensure that only privileged users can interact with the DirectoryPress administrative interface.
  • Optionally monitor site logs for anomalous access to DirectoryPress endpoints to detect potential exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 18:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through <= 3.6.25. Missing Authorization vulnerability in Designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through <= 3.6.25.

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Designinvento
Designinvento directorypress
Wordpress
Wordpress wordpress
Vendors & Products Designinvento
Designinvento directorypress
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through <= 3.6.25.
Title WordPress DirectoryPress plugin <= 3.6.25 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Designinvento Directorypress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:46.769Z

Reserved: 2026-01-14T08:36:07.869Z

Link: CVE-2026-23548

cve-icon Vulnrichment

Updated: 2026-02-26T18:47:35.847Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:12.787

Modified: 2026-04-28T16:16:06.783

Link: CVE-2026-23548

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses