Missing Authorization Vulnerability in Paolo GeoDirectory Plugin
CVE-2026-42671

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Geodirectory
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-42671?

A missing authorization vulnerability in the Paolo GeoDirectory plugin can lead to incorrect access control configurations. This flaw allows unauthorized users to exploit vulnerabilities in the access control security levels, potentially exposing sensitive information and functions within the GeoDirectory environment. Users of the plugin may be at risk, especially those operating on versions prior to 2.8.157. It is essential for website administrators to review their configurations and apply necessary patches to safeguard against unauthorized access.

Affected Version(s)

GeoDirectory <= 2.8.157

References

https://patchstack.com/database/wordpress/plugin/geodirec...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Evan NR | Patchstack Bug Bounty Program

CVE-2026-42671 Data

JSON

WordPress

What is CVE-2026-42671?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit