GeoDirectory – WP Business Directory Plugin and Classified Listings Directory < 2.8.154 – Unauthenticated SQL Injection | CVE 2026-39512 | Plugin Vulnerabilities

Description

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.8.152 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affects Plugins

Fixed in 2.8.154

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a83e7d8b-a93a-4347-bb59-de1e2fd954a5

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Tin Pham aka TF1T

Verified

No

WPVDB ID

a03c2e12-1b5f-46b5-a5d4-5c62da38db17

Timeline

Publicly Published

2026-04-13 (about 1 month ago)

Added

2026-04-21 (about 1 month ago)

Last Updated

2026-04-21 (about 1 month ago)

Other

Published

Title

Published

2025-05-22

Title

Pixel WordPress Form BuilderPlugin & Autoresponder < 1.0.3 - Unauthenticated SQL Injection

Published

2017-02-27

Title

NextGEN Gallery < 2.1.79 - Unauthenticated SQL Injection

Published

2014-08-01

Title

iCopyright(R) Article Tools <= 1.1.4 - SQL Injection

Published

2026-01-23

Title

WP-ClanWars <= 2.0.1 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

Published

2025-07-09

Title

Events Manager < 7.0.4 - Unauthenticated SQL Injection via `orderby` Parameter