プラットフォーム
wordpress
コンポーネント
geodirectory
修正版
2.8.150
CVE-2026-24549 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the GeoDirectory plugin for WordPress. This flaw allows an attacker to trick authenticated users into unknowingly executing malicious actions on their GeoDirectory-powered website. The vulnerability impacts versions ranging from 0.0.0 through 2.8.149, and a patch is available in version 2.8.150.
A successful CSRF attack could allow an attacker to perform actions on behalf of a logged-in user without their knowledge or consent. This could include modifying listings, changing user profiles, or even deleting data. The potential impact depends on the permissions granted to the affected user within the GeoDirectory plugin. An attacker could leverage this to gain unauthorized access to sensitive information or disrupt the functionality of the website. While the CVSS score is MEDIUM, the ease of exploitation and potential for data manipulation make this a significant concern.
CVE-2026-24549 was publicly disclosed on 2026-01-23. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the relatively simple nature of CSRF attacks and the widespread use of WordPress and GeoDirectory, it is prudent to assume that this vulnerability could be targeted in the future.
Websites utilizing the GeoDirectory plugin for WordPress, particularly those with user-generated content or sensitive data managed through the plugin, are at risk. Shared hosting environments where plugin updates are managed centrally are also particularly vulnerable, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r 'geodirectory/includes/functions.php' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep geodirectory• wordpress / composer / npm:
wp plugin update geodirectorydisclosure
エクスプロイト状況
EPSS
0.01% (0% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-24549 is to immediately upgrade the GeoDirectory plugin to version 2.8.150 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and actions within the GeoDirectory plugin. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of protection. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack on a test environment and verifying that the request is blocked or fails.
バージョン 2.8.150、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-24549 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the GeoDirectory WordPress plugin, allowing attackers to forge requests and potentially modify data.
You are affected if your WordPress site uses GeoDirectory version 0.0.0 through 2.8.149. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the GeoDirectory plugin to version 2.8.150 or later. If immediate upgrade isn't possible, consider temporary workarounds like CSRF tokens or WAF rules.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the GeoDirectory plugin's official website or WordPress plugin repository for the latest security advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。