The GeoDirectory plugin for WordPress contains a critical unauthenticated SQL injection flaw that permits unauthorized database access and potential data exfiltration.

This vulnerability is an unauthenticated SQL injection, occurring when user-supplied input is insufficiently sanitized before being processed by the database. No administrative or user login is required to trigger this vulnerability, significantly increasing the attack surface.

An attacker leveraging this flaw can gain unauthorized access to the application’s backend database, leading to the exposure of sensitive user data, configuration details, or credentials. The CVSS score of 9.3 underscores the critical nature of this vulnerability and the high likelihood of severe business impact if left unpatched.

Immediate Action: Upgrade the GeoDirectory plugin to the latest available version provided by the vendor.

Proactive Monitoring: Monitor database query performance and audit application logs for suspicious characters or patterns associated with SQL injection probes.

Compensating Controls: Implement WAF filtering to intercept and drop requests containing malicious SQL payloads directed at the GeoDirectory plugin endpoints.

Public Exploit Available: No

Given the critical risk posed by this unauthenticated vulnerability, remediation should be treated as a high-priority task. Organizations utilizing GeoDirectory must ensure they are updated to the secure version to prevent potential compromise of the application environment.