CVE-2025-12833
📋 TL;DR
This vulnerability allows authenticated WordPress users with author-level permissions or higher to attach arbitrary image files to any location within the GeoDirectory plugin. Attackers can misuse this to upload malicious files or deface content. Only WordPress sites using vulnerable versions of the GeoDirectory plugin are affected.
💻 Affected Systems
- GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers upload malicious files that lead to remote code execution, site takeover, or persistent backdoors.
Likely Case
Attackers upload inappropriate images to deface listings, compromise site integrity, or conduct phishing campaigns.
If Mitigated
With proper access controls and file validation, impact is limited to minor content manipulation.
🎯 Exploit Status
Exploitation requires authenticated access; the vulnerability is straightforward due to missing validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.8.139
Vendor Advisory: https://wordpress.org/plugins/geodirectory/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find GeoDirectory plugin and click 'Update Now'. 4. Verify the plugin version is above 2.8.139.
🔧 Temporary Workarounds
Restrict User Roles
allLimit author-level and higher permissions to trusted users only.
Disable Plugin
linuxTemporarily disable the GeoDirectory plugin if not essential.
wp plugin deactivate geodirectory
🧯 If You Can't Patch
- Implement strict file upload validation via .htaccess or web server rules.
- Monitor and audit user activities, especially file uploads by authors.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins; if version is 2.8.139 or lower, it is vulnerable.Check Version:
wp plugin get geodirectory --field=versionVerify Fix Applied:
After updating, confirm the plugin version is above 2.8.139 and test file upload functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads by author-level users
- POST requests to post_attachment_upload with unexpected parameters
Network Indicators:
- HTTP requests with file uploads to GeoDirectory endpoints from unauthorized IPs
SIEM Query:
source="wordpress.log" AND "post_attachment_upload" AND status=200🔗 References
- https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393024%40geodirectory&new=3393024%40geodirectory&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/geodirectory/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve
