Platform
wordpress
Component
directorist
Fixed in
8.5.11
CVE-2026-39509 describes a missing authorization vulnerability within the Directorist WordPress plugin. This flaw allows attackers to exploit incorrectly configured access control security levels, potentially leading to unauthorized access and manipulation of data. The vulnerability affects versions from 0.0.0 through 8.5.10, and a fix is available in version 8.6.1.
The impact of this missing authorization vulnerability is significant, particularly for websites heavily reliant on the Directorist plugin for directory listings or business listings. An attacker could exploit this flaw to gain unauthorized access to sensitive data, such as user information, listing details, and potentially even administrative functions. Successful exploitation could lead to data breaches, defacement of the website, or even complete compromise of the WordPress installation. The blast radius extends to all users of the affected plugin, especially those with improperly configured access controls.
CVE-2026-39509 was published on 2026-04-08. Its severity is pending further evaluation, but the missing authorization nature suggests potential for exploitation. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature makes it likely that POCs will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Directorist.
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The primary mitigation for CVE-2026-39509 is to immediately upgrade the Directorist plugin to version 8.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter access control rules within the Directorist plugin's configuration to limit the potential impact of the vulnerability. While not a complete fix, this can reduce the attack surface. Additionally, review WordPress user roles and permissions to ensure they are appropriately configured. After upgrading, verify the fix by attempting to access restricted resources with a non-privileged user account to confirm access is denied.
Update to version 8.6.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39509 is a Medium severity authorization flaw in the Directorist WordPress plugin, allowing attackers to exploit incorrectly configured access controls and potentially gain unauthorized access to data.
You are affected if you are using Directorist versions 0.0.0 through 8.5.10. Upgrade to version 8.6.1 to resolve the vulnerability.
Upgrade the Directorist plugin to version 8.6.1 or later. If immediate upgrade is not possible, implement stricter access control rules within the plugin's configuration.
While no active exploitation campaigns have been confirmed, the vulnerability's nature suggests potential for exploitation. Monitor security advisories for updates.
Refer to the Directorist plugin's official website and WordPress plugin repository for the latest security advisories and updates related to CVE-2026-39509.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.