{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12833", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T19:46:39.817Z", "datePublished": "2025-11-12T04:29:09.221Z", "dateUpdated": "2026-04-08T16:48:26.458Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:26.458Z"}, "affected": [{"vendor": "paoltaia", "product": "GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.8.139", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places."}], "title": "GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve"}, {"url": "https://wordpress.org/plugins/geodirectory/"}, {"url": "https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393024%40geodirectory&new=3393024%40geodirectory&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "German"}], "timeline": [{"time": "2025-11-06T20:01:51.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-11T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T18:16:06.343248Z", "id": "CVE-2025-12833", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T18:16:20.350Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12833", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T18:16:06.343248Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T18:16:16.378Z"}}], "cna": {"title": "GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment", "credits": [{"lang": "en", "type": "finder", "value": "German"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "paoltaia", "product": "GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.8.139"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-06T20:01:51.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-11T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve"}, {"url": "https://wordpress.org/plugins/geodirectory/"}, {"url": "https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393024%40geodirectory&new=3393024%40geodirectory&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:26.458Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12833", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:26.458Z", "dateReserved": "2025-11-06T19:46:39.817Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-12T04:29:09.221Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places."}], "id": "CVE-2025-12833", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-12T05:15:41.940", "references": [{"source": "security@wordfence.com", "url": "https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393024%40geodirectory&new=3393024%40geodirectory&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/geodirectory/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T03:55:55.587148+00:00", "value": {"mitigation_remediation": ["Upgrade the GeoDirectory plugin to a version newer than 2.8.139, which removes the vulnerable upload functionality.", "Verify that author and higher roles cannot access the post_attachment_upload function by adjusting role capabilities or disabling the upload feature, thereby addressing the CWE\u2011639 authorization bypass through user\u2011controlled key.", "Audit existing attachments for potential malicious content and ensure no residual upload endpoints remain active."], "summary": {"action": "Update Plugin", "impact": "arbitrary image attachment via missing authorization"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the GeoDirectory \u2013 WP Business Directory Plugin and Classified Listings Directory installed in any version up to and including 2.8.139 are affected. Any site with an author account or higher role that can access the plugin\u2019s upload functionality is vulnerable.", "description_and_impact": "The GeoDirectory WordPress plugin contains an insecure direct object reference in the post_attachment_upload function. This flaw is caused by a missing validation on a user\u2011controlled key, allowing authenticated users with author-level permissions or greater to upload and attach any image file to any supported element within the plugin. The attack does not provide remote code execution, data exfiltration, or other direct system compromise, but it does enable a user to alter content that is displayed to site visitors.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact. An EPSS score of less than 1% suggests a very low but non\u2011zero probability that this vulnerability will be exploited. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated session with author or higher privileges, and the attack vector is the authenticated user\u2019s ability to submit a file to the upload endpoint."}}}}, "created": "2025-11-12T12:36:28.281893+00:00", "updated": "2026-04-22T04:00:08.011480+00:00", "vendors": ["paoltaia", "paoltaia$PRODUCT$geodirectory", "wordpress", "wordpress$PRODUCT$wordpress"]}