CVE-2026-59518
wpWax · Directorist
The Directorist plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code on the server.
Executive summary
A critical deserialization flaw in the wpWax Directorist plugin allows unauthenticated attackers to execute arbitrary code, creating an immediate risk of full system takeover.
Vulnerability
This is a Deserialization of Untrusted Data (CWE-502) vulnerability. The plugin lacks proper verification of input, allowing unauthenticated attackers to inject malicious objects that can lead to remote code execution.
Business impact
A successful exploit grants the attacker the ability to execute arbitrary PHP code, potentially leading to total site takeover, data breach, and the deployment of persistent backdoors. The CVSS score of 9.8 highlights the severity, as the lack of required authentication makes it easily exploitable by remote actors, threatening the entire underlying infrastructure.
Remediation
Immediate Action: Update the Directorist plugin to a version beyond 8.8.2 as soon as the vendor provides a patch.
Proactive Monitoring: Review web server logs for irregular payload structures or unexpected code execution attempts associated with the Directorist plugin endpoints.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter out malicious serialized objects and prevent unauthenticated access to sensitive plugin functions.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The severity of this issue mandates an immediate update. If an update is not yet available, consider temporarily deactivating the Directorist plugin until a patched version is released to mitigate the risk of remote code execution.