GeoDirectory < 2.3.71 – Missing Authorization via geodirectory_rated() | CVE 2024-43981 | Plugin Vulnerabilities

Description

The GeoDirectory plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the geodirectory_rated() function in versions up to, and including, 2.3.70. This makes it possible for authenticated attackers, with subscriber-level access and above, to set the 'geodirectory_admin_footer_text_rated' option value to true.

Affects Plugins

Fixed in 2.3.71

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8f687ee4-9760-48dd-9427-853de877dacc

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

ea017b81-9691-4f91-b71c-1c98d31e1d87

Timeline

Publicly Published

2024-08-28 (about 1 year ago)

Added

2024-09-04 (about 1 year ago)

Last Updated

2024-09-04 (about 1 year ago)

Other

Published

Title

Published

2025-03-24

Title

Menu Duplicator <= 1.0 - Missing Authorization

Published

2025-10-06

Title

MSN Partner Hub <= 2.8.7 - Missing Authorization

Published

2024-05-29

Title

Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX < 4.1.3 - Missing Authorization to Arbitrary Options Update

Published

2026-02-13

Title

Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification

Published

2025-01-16

Title

Delete All Posts <= 1.1.1 - Missing Authorization