Scan free
MEDIUMCVE-2026-24549CVSS 4.3

CVE-2026-24549: CSRF in GeoDirectory WordPress Plugin

Platform

wordpress

Component

geodirectory

Fixed in

2.8.150

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-24549 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the GeoDirectory plugin for WordPress. This flaw allows an attacker to trick authenticated users into unknowingly executing malicious actions on their GeoDirectory-powered website. The vulnerability impacts versions ranging from 0.0.0 through 2.8.149, and a patch is available in version 2.8.150.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

A successful CSRF attack could allow an attacker to perform actions on behalf of a logged-in user without their knowledge or consent. This could include modifying listings, changing user profiles, or even deleting data. The potential impact depends on the permissions granted to the affected user within the GeoDirectory plugin. An attacker could leverage this to gain unauthorized access to sensitive information or disrupt the functionality of the website. While the CVSS score is MEDIUM, the ease of exploitation and potential for data manipulation make this a significant concern.

Exploitation Context

CVE-2026-24549 was publicly disclosed on 2026-01-23. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the relatively simple nature of CSRF attacks and the widespread use of WordPress and GeoDirectory, it is prudent to assume that this vulnerability could be targeted in the future.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.01% (0% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentgeodirectory
Vendorwordfence
Affected rangeFixed in
0 – 2.8.1492.8.150

Package Information

Active installs
10KPopular
Plugin rating
4.8
Requires WordPress
6.0+
Compatible up to
7.0
Requires PHP
5.6+
Homepage

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-24549 is to immediately upgrade the GeoDirectory plugin to version 2.8.150 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and actions within the GeoDirectory plugin. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of protection. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack on a test environment and verifying that the request is blocked or fails.

How to fix

Update to version 2.8.150, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-24549 — CSRF in GeoDirectory WordPress Plugin?

CVE-2026-24549 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the GeoDirectory WordPress plugin, allowing attackers to forge requests and potentially modify data.

Am I affected by CVE-2026-24549 in GeoDirectory WordPress Plugin?

You are affected if your WordPress site uses GeoDirectory version 0.0.0 through 2.8.149. Check your plugin version and upgrade immediately if vulnerable.

How do I fix CVE-2026-24549 in GeoDirectory WordPress Plugin?

Upgrade the GeoDirectory plugin to version 2.8.150 or later. If immediate upgrade isn't possible, consider temporary workarounds like CSRF tokens or WAF rules.

Is CVE-2026-24549 being actively exploited?

As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.

Where can I find the official GeoDirectory advisory for CVE-2026-24549?

Refer to the GeoDirectory plugin's official website or WordPress plugin repository for the latest security advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
CVE-2026-24549: CSRF in GeoDirectory WordPress Plugin | NextGuard