CVE-2025-12833

Name of the Vulnerable Software and Affected Versions GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress versions prior to 2.8.139

Description The GeoDirectory plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This flaw stems from a lack of validation on a user-controlled key within the post attachment upload function. Authenticated attackers possessing author-level access or higher can exploit this to attach arbitrary image files to unintended locations.

Recommendations Update to a version beyond 2.8.139.