How is CVE-2026-54831 exploited?

Network reachability (required): The attacker must be able to reach the WordPress installation over the network; no local or physical access is required. Authentication (not-required): No account or session token is needed; the vulnerable endpoint is fully unauthenticated. Victim interaction (not-required): No user action is required; the attacker sends crafted requests directly to the plugin endpoint without any social-engineering step. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or environment-specific factors required to trigger the injection.

What is the impact of CVE-2026-54831?

An attacker can read arbitrary database contents, including WordPress user table data such as usernames, hashed passwords, email addresses, and session tokens. An attacker can extract GeoDirectory listing data and any other structured content stored in the WordPress database, which may include personally identifiable information submitted by site visitors. The C:H/S:C scope means database reads can cross into data belonging to other applications or tenants sharing the same database server, depending on the host configuration. Availability impact is rated Low, meaning an attacker can cause partial service degradation, such as slowing or intermittently disrupting database-backed page responses, though a full site outage is not the expected outcome.

Back to search

CRITICALCVE-2026-54831Published 2026-06-26Modified 2026-06-26CNA Patchstack

CVE-2026-54831: WordPress GeoDirectory plugin <= 2.8.162 - SQL Injection vulnerability

Q: What is CVE-2026-54831?

An unauthenticated SQL injection vulnerability affects the WordPress GeoDirectory plugin at version 2.8.162 and below. The vulnerability is reachable over the network with no login required and no user interaction, making it trivially exploitable by any remote attacker. Successful exploitation gives an attacker read access to the underlying database and limited ability to disrupt service availability. No upstream fix has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as a fix version is released.

Q: Is CVE-2026-54831 patched?

Because no fix version has been published for CVE-2026-54831, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without requiring manual intervention.

Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the WordPress GeoDirectory plugin at version 2.8.162 and below. The vulnerability is reachable over the network with no login required and no user interaction, making it trivially exploitable by any remote attacker. Successful exploitation gives an attacker read access to the underlying database and limited ability to disrupt service availability. No upstream fix has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as a fix version is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-54831 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Patchstack. This capability extends to custom-built images that bundle the GeoDirectory plugin, not just images pulled directly from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.3 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency tier and routing. Alerts are routable to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

Because no fix version has been published for CVE-2026-54831, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress installation over the network; no local or physical access is required.
AuthenticationNot required
No account or session token is needed; the vulnerable endpoint is fully unauthenticated.
Victim interactionNot required
No user action is required; the attacker sends crafted requests directly to the plugin endpoint without any social-engineering step.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or environment-specific factors required to trigger the injection.

Blast Radius

An attacker can read arbitrary database contents, including WordPress user table data such as usernames, hashed passwords, email addresses, and session tokens.
An attacker can extract GeoDirectory listing data and any other structured content stored in the WordPress database, which may include personally identifiable information submitted by site visitors.
The C:H/S:C scope means database reads can cross into data belonging to other applications or tenants sharing the same database server, depending on the host configuration.
Availability impact is rated Low, meaning an attacker can cause partial service degradation, such as slowing or intermittently disrupting database-backed page responses, though a full site outage is not the expected outcome.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged Critical (CVSS 9.3) and is matched against any image containing GeoDirectory 2.8.162 or earlier as soon as it is seen in a customer registry or CI pipeline. Because no upstream patch exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild automatically once a fix version is published; for customers with auto-remediation enabled, that will include a regression test run and a PR opened against affected workloads. In the interim, compensating controls available within HarborGuard policy include network-policy isolation to restrict external access to affected WordPress deployments, egress filtering to limit what the application server can reach on the database network, and advisory-watch alerts so the relevant team is notified the moment a fix version appears upstream.

See how HarborGuard automates this

Affected packages

Paolo / GeoDirectory
≤ 2.8.162

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified