The GeoDirectory WordPress plugin contains a Cross‑Site Request Forgery (CSRF) flaw that allows attackers to send requests to the plugin without including a valid anti‑CSRF token. Because the plugin accepts these forged requests as legitimate, they are processed as if they were made by an authenticated user. The vulnerability provides no direct code execution, but it enables attackers to trigger actions that normally require a logged‑in user, potentially leading to unintended changes or data exposure.

All installations of the GeoDirectory WordPress plugin developed by Paolo that run versions up to and including 2.8.149 are affected. Any WordPress site that has this plugin installed and a user signed in can be vulnerable.

The CVSS score of 4.3 indicates a medium severity, while the EPSS score of less than 1% suggests a very low likelihood of current exploitation. The plugin is not listed in CISA’s KEV catalog. The likely attack scenario involves a malicious website embedding resources that trigger the vulnerable endpoint while a user remains authenticated; the request is sent automatically by the browser and processed as if the user had submitted it directly. The combination of moderate severity and low exploitation probability means the flaw could cause damage if leveraged in the wild, but the chance of it being exploited currently is low.