GeoDirectory – WP Business Directory Plugin and Classified Listings Directory < 2.8.140 – Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment | CVE 2025-12833 | Plugin Vulnerabilities

Description

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.

Affects Plugins

Fixed in 2.8.140

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

DityaRA

Verified

No

WPVDB ID

c11af4b5-a7bc-42b0-bbb7-468a749e0217

Timeline

Publicly Published

2025-11-11 (about 6 months ago)

Added

2025-11-11 (about 6 months ago)

Last Updated

2025-11-12 (about 6 months ago)

Other

Published

Title

Published

2024-03-04

Title

FeedWordPress < 2024.0428 - Unauthenticated Draft Access

Published

2024-04-01

Title

Tickera < 3.5.2.5 - Ticket leakage through IDOR

Published

2026-02-09

Title

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace < 2.11.9 - Insecure Direct Object Reference to Update Membership Payment

Published

2025-03-13

Title

Omnipress < 1.5.5 - Authenticated (Contributor+) Post Disclosure

Published

2025-10-17

Title

Event Tickets and Registration < 5.26.6 - Unauthenticated Ticket Payment Bypass