Description
Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions.
Published: 2026-06-26
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated SQL injection occurs in the WordPress GeoDirectory plugin versions up to 2.8.162. The flaw permits an attacker to inject arbitrary SQL statements into database queries, potentially exposing sensitive data, modifying site content, or, if the database allows it, could lead to broader compromise. The vulnerability is mapped to CWE‑89, highlighting the violation of proper input sanitization and parameterized query usage. Based on the description, it is inferred that the plugin may perform database operations without proper escaping, but the CVE does not explicitly state remote code execution or other specific consequences.

Affected Systems

The affected product is the GeoDirectory WordPress plugin, developed by Paolo. Any WordPress site that has installed the plugin at or below version 2.8.162 is susceptible. If the site uses an earlier or equivalent version, the same issue applies.

Risk and Exploitability

The CVSS score of 9.3 indicates high severity. The lack of an EPSS value does not prove low exploitation probability; attackers could still target this flaw. The vulnerability is not listed in the CISA KEV catalog. The unauthenticated nature and the possibility to inject SQL through a plugin endpoint make it a high‑risk threat. An attacker could craft a malicious HTTP request to the plugin’s data submission endpoint, injecting SQL via a vulnerable parameter.

Generated by OpenCVE AI on June 26, 2026 at 17:50 UTC.

Remediation

Vendor Solution

Update the WordPress GeoDirectory Plugin to the latest available version (at least 2.8.163).

OpenCVE Recommended Actions

  • Update the GeoDirectory plugin to version 2.8.163 or later, following the vendor’s official release.
  • If an immediate update is not feasible, temporarily disable the GeoDirectory plugin or restrict its access to trusted IP addresses.
  • Apply generic WordPress security hardening measures, such as enabling the core multi‑factor authentication and keeping the WordPress core up‑to‑date.
  • Screen incoming HTTP traffic and logs for suspicious SQL activity to detect potential exploitation attempts.

Generated by OpenCVE AI on June 26, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Paolo
Paolo geodirectory
Wordpress
Wordpress wordpress
Vendors & Products Paolo
Paolo geodirectory
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions.
Title WordPress GeoDirectory plugin <= 2.8.162 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Paolo Geodirectory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:08:29.524Z

Reserved: 2026-06-16T09:21:51.803Z

Link: CVE-2026-54831

cve-icon Vulnrichment

Updated: 2026-06-26T17:08:24.777Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')