How is CVE-2026-39512 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP or HTTPS. Authentication (not-required): No account or credentials of any kind are needed to trigger the injection. Victim interaction (not-required): The attack is fully automated and requires no action from any user of the site. Attack complexity (info): Exploitation is reliable and condition-free, requiring no race conditions or special environmental setup.

What is the impact of CVE-2026-39512?

An attacker reads arbitrary rows from the WordPress database, including stored user credentials, session tokens, private post content, and plugin configuration data. Database availability is partially disrupted through resource-exhausting query payloads, degrading site responsiveness. Because the CVSS scope token is Changed, impact can extend beyond the WordPress application itself to other services or data stores sharing the same database instance.

Back to search

CRITICALCVE-2026-39512Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39512: WordPress GeoDirectory plugin <= 2.8.152 - SQL Injection vulnerability

Q: What is CVE-2026-39512?

An unauthenticated SQL injection vulnerability affects the WordPress GeoDirectory plugin at version 2.8.152 and earlier. The flaw is reachable over the network without any login or privileges, meaning any internet-facing WordPress site running the affected plugin is exposed. Successful exploitation gives an attacker read access to the database and limited ability to disrupt availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-39512 patched?

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. In the meantime, compensating controls such as network-policy isolation for affected workloads can be applied through HarborGuard's policy engine.

Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the WordPress GeoDirectory plugin at version 2.8.152 and earlier. The flaw is reachable over the network without any login or privileges, meaning any internet-facing WordPress site running the affected plugin is exposed. Successful exploitation gives an attacker read access to the database and limited ability to disrupt availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the GeoDirectory plugin. Any image found to include an affected version of the plugin is flagged immediately.

Available

Triage

HarborGuard scores this vulnerability at CVSS 9.3 (Critical) and weights it against each customer organization's compliance policy to determine urgency and ownership. Findings are routed to the appropriate team inbox within each customer org based on configured policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. In the meantime, compensating controls such as network-policy isolation for affected workloads can be applied through HarborGuard's policy engine.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP or HTTPS.
AuthenticationNot required
No account or credentials of any kind are needed to trigger the injection.
Victim interactionNot required
The attack is fully automated and requires no action from any user of the site.
Attack complexityDetail
Exploitation is reliable and condition-free, requiring no race conditions or special environmental setup.

Blast Radius

An attacker reads arbitrary rows from the WordPress database, including stored user credentials, session tokens, private post content, and plugin configuration data.
Database availability is partially disrupted through resource-exhausting query payloads, degrading site responsiveness.
Because the CVSS scope token is Changed, impact can extend beyond the WordPress application itself to other services or data stores sharing the same database instance.

How HarborGuard Handles This

Available on HarborGuard: this CVE is currently tracked without a published fix, so HarborGuard monitors the upstream advisory on every ingest cycle. For customers running container images that bundle the GeoDirectory plugin at or below version 2.8.152, the vulnerability is flagged at Critical severity and routed per each organization's compliance policy. Where compliance policy permits, customers can apply compensating controls such as web-application-firewall rules, network-policy isolation of the WordPress workload, and egress filtering on database connections to reduce exposure until a patch is available. The moment the upstream maintainer publishes a fix, HarborGuard will make a patched-image rebuild available, and for customers with auto-remediation enabled a rebuild, regression-test run, and PR opened against affected workloads will be triggered automatically.

See how HarborGuard automates this

Affected packages

Paolo / GeoDirectory
≤ 2.8.152

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified