External risk intelligence

GeoDirectory Unauthenticated SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-39512

An unauthenticated SQL injection vulnerability in the GeoDirectory plugin allows attackers to access or modify database information through network requests. This could lead to unauthorized data access or service disruption for public-facing web components. Confirming relevance and exposure within your web infrastructu

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-39512

The vulnerability exists in a WordPress plugin designed to handle directory data, which is typically deployed as a public-facing web component. Because it functions as part of a website's web-accessible interface, it is commonly exposed to the internet in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-39512

Yes

CVE-2026-39512 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability allows unauthenticated attackers to execute SQL commands, which would likely cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability, SQL Injection, found in the GeoDirectory plugin. This type of flaw could allow unauthorized access to or manipulation of the underlying database. The main concern is confirming relevance and exposure within your existing web infrastructure.

  • Unauthenticated database access vulnerability found.
  • Impacts public-facing directory website components.
  • Confirm relevance and exposure to your business.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests over the network to a web server hosting the affected software. This unauthenticated SQL injection flaw allows an attacker to interact with the GeoDirectory component, potentially leading to unauthorized access to or manipulation of the underlying database.

  • No authentication required.
  • Triggered by sending malicious network requests.
  • Risk of unauthorized database access.

Live Threat

Current exploitation, exposure, and threat context

This unauthenticated SQL injection vulnerability could allow an attacker to interfere with database operations, potentially leading to information disclosure or disruption of service. It affects the GeoDirectory plugin when it is exposed to the network.

  • Sensitive database data could be read.
  • Malicious SQL queries could be injected.
  • Service may become unavailable.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated SQL injection vulnerability in GeoDirectory affects public-facing web components, likely requiring action from platform or application teams. The first practical step is to identify all instances of GeoDirectory, confirm their exposure and business criticality, and then assign an owner to plan remediation based on assessed risk.

  • Platform or application teams should own.
  • Verify public exposure and business criticality.
  • Plan remediation based on risk assessment.

Frequently asked questions

What is the GeoDirectory plugin used for?

GeoDirectory is a WordPress plugin designed to turn a website into a directory-based platform, such as a business listing or real estate portal. It handles the storage and retrieval of location-based data and listings, acting as a core engine for managing and displaying structured directory content on the web.

What does SQL injection mean for CVE-2026-39512?

This vulnerability, classified as CWE-89, involves a flaw where the software fails to properly sanitize user-supplied data before including it in a database query. Because of this, an attacker can submit crafted input that the database executes as a command, potentially allowing them to view, modify, or disrupt the sensitive information stored within the system.

How is this GeoDirectory vulnerability triggered?

The flaw is triggered when an attacker sends a specially crafted network request to the web server hosting the affected plugin. No login or prior authentication is required to initiate this process. Importantly, simply browsing the site or interacting with legitimate features does not trigger the bug; the attacker must deliberately send malicious code through the network to exploit the insecure query processing.

Do I need to worry about this if my site is not public?

According to Halo Surface Signal, this plugin is typically deployed as a public-facing component to facilitate directory services, making it likely exposed to the internet. If your instance is entirely isolated from the network, the risk is reduced; however, if your directory or any part of the site using this plugin is reachable via the internet, it is considered exposed to this threat.

When should I take action on CVE-2026-39512?

You should prioritize this by first identifying every location in your environment where GeoDirectory is running. Confirm whether those instances are accessible via the internet and determine their overall importance to your business operations. Once you have a clear inventory, assign the task to your application or platform teams to plan and carry out the necessary updates to secure your data.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished