Insecure Direct Object Reference in GeoDirectory Plugin for WordPress
CVE-2025-12833

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Geodirectory – WP Business Directory Plugin And Classified Listings Directory
Vendor
CVE Published:
12 November 2025

What is CVE-2025-12833?

The GeoDirectory – WP Business Directory Plugin for WordPress is susceptible to Insecure Direct Object Reference due to inadequate validation within the 'post_attachment_upload' function. This vulnerability allows authenticated users with author-level permissions or higher to upload arbitrary image files to unintended locations, potentially compromising website integrity and user data. All versions up to and including 2.8.139 are affected, underscoring the necessity for immediate attention and remediation.

Affected Version(s)

GeoDirectory – WP Business Directory Plugin and Classified Listings Directory * <= 2.8.139

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/geodirectory/
https://github.com/AyeCode/geodirectory/commit/db655b04be...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

German
JSON
.
CVE-2025-12833 : Insecure Direct Object Reference in GeoDirectory Plugin for WordPress