Description
Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the wpWax Directorist plugin that allows attackers to access functionality or resources that should be restricted. This flaw stems from incorrectly configured access control security settings, giving unauthorized users the ability to read or manipulate data meant for authorized users only. The weakness is a classic missing authorized access control issue and can lead to unauthorized disclosure, modification, or denial of sensitive content within the WordPress site.

Affected Systems

The flaw affects the wpWax Directorist plugin for WordPress versions up to and including 8.5.10. Users running these or older plugin releases are vulnerable; any installation of Directorist 8.5.10 or earlier should be considered at risk.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as moderate severity, while the EPSS score of less than 1% indicates a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, suggesting no known high‑profile exploits. Attackers would likely need a web application entry point to try to reach protected areas, and the flaw can be abused by unauthenticated users or users with insufficient privileges. The lack of a high exploit probability suggests that active attack traffic may be limited, yet the potential impact warrants timely remediation.

Generated by OpenCVE AI on April 13, 2026 at 21:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Directorist plugin to version 8.5.11 or later.

Generated by OpenCVE AI on April 13, 2026 at 21:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpwax
Wpwax directorist
Vendors & Products Wordpress
Wordpress wordpress
Wpwax
Wpwax directorist

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10.
Title WordPress Directorist plugin <= 8.5.10 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpwax Directorist
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.099Z

Reserved: 2026-04-07T10:47:50.137Z

Link: CVE-2026-39509

cve-icon Vulnrichment

Updated: 2026-04-13T18:15:35.908Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:25.080

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:57Z

Weaknesses