{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24549", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:46.854Z", "datePublished": "2026-01-23T14:28:52.855Z", "dateUpdated": "2026-04-28T16:14:49.105Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "geodirectory", "product": "GeoDirectory", "vendor": "Paolo", "versions": [{"changes": [{"at": "2.8.150", "status": "unaffected"}], "lessThanOrEqual": "2.8.149", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:05.245Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery.<p>This issue affects GeoDirectory: from n/a through <= 2.8.149.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery.This issue affects GeoDirectory: from n/a through <= 2.8.149."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.105Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-147-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress GeoDirectory plugin <= 2.8.149 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T19:57:01.135687Z", "id": "CVE-2026-24549", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:21:33.251Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24549", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T19:57:01.135687Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T19:56:56.843Z"}}], "cna": {"title": "WordPress GeoDirectory plugin <= 2.8.149 - Cross Site Request Forgery (CSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Paolo", "product": "GeoDirectory", "versions": [{"status": "affected", "changes": [{"at": "2.8.150", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.8.149"}], "packageName": "geodirectory", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:21.990Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-147-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery.This issue affects GeoDirectory: from n/a through <= 2.8.149.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery.<p>This issue affects GeoDirectory: from n/a through <= 2.8.149.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:44.905Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24549", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:21:33.251Z", "dateReserved": "2026-01-23T12:31:46.854Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:52.855Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery.This issue affects GeoDirectory: from n/a through <= 2.8.149."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en Paolo GeoDirectory permite la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. Este problema afecta a GeoDirectory: desde n/a antes de 2.8.150."}], "id": "CVE-2026-24549", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-23T15:16:11.227", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-147-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:30:59.477398+00:00", "value": {"mitigation_remediation": ["Upgrade the GeoDirectory plugin to a version newer than 2.8.149 that contains the CSRF fix.", "Restrict access to the plugin\u2019s administrative interfaces to the most trusted user roles, limiting the potential impact of any forged requests.", "Enforce strong authentication practices for site administrators, such as two\u2011factor authentication, to reduce the risk of compromised accounts being used in CSRF attacks."], "summary": {"action": "Patch", "impact": "Unauthorized Actions"}, "threat_synthesis": {"affected_systems": "All installations of the GeoDirectory WordPress plugin developed by Paolo that run versions up to and including 2.8.149 are affected. Any WordPress site that has this plugin installed and a user signed in can be vulnerable.", "description_and_impact": "The GeoDirectory WordPress plugin contains a Cross\u2011Site Request Forgery (CSRF) flaw that allows attackers to send requests to the plugin without including a valid anti\u2011CSRF token. Because the plugin accepts these forged requests as legitimate, they are processed as if they were made by an authenticated user. The vulnerability provides no direct code execution, but it enables attackers to trigger actions that normally require a logged\u2011in user, potentially leading to unintended changes or data exposure.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a medium severity, while the EPSS score of less than 1% suggests a very low likelihood of current exploitation. The plugin is not listed in CISA\u2019s KEV catalog. The likely attack scenario involves a malicious website embedding resources that trigger the vulnerable endpoint while a user remains authenticated; the request is sent automatically by the browser and processed as if the user had submitted it directly. The combination of moderate severity and low exploitation probability means the flaw could cause damage if leveraged in the wild, but the chance of it being exploited currently is low."}}}}, "created": "2026-01-26T11:53:23.458322+00:00", "updated": "2026-04-16T07:45:06.011806+00:00", "vendors": ["paolo", "paolo$PRODUCT$geodirectory", "wordpress", "wordpress$PRODUCT$wordpress"]}