CVE-2026-39534 7.5 HIGH
Broken access control in the WP Directory Kit plugin allows unauthenticated attackers to access and retrieve data served by privileged plugin actions without any authorization check.
| Product | WP Directory Kit |
|---|---|
| Affected Versions | ≤ 1.5.0 |
| Fixed Version | 1.5.1 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CWE | CWE-862 (Missing Authorization) |
| Published | 2026-04-08 |
| Active installs | 3,000+ |
Description
The WP Directory Kit plugin for WordPress is vulnerable to Broken Access Control in all versions up to and including 1.5.0. The vulnerable function exposed through the plugin's AJAX surface does not enforce any capability, authentication, or nonce verification before executing, so any unauthenticated visitor can invoke it and retrieve data that should only be reachable by privileged users. The issue stems from missing authorization checks in a handler that was intended for administrative or member-only use.
Impact
An unauthenticated attacker can directly invoke the vulnerable handler and extract directory data managed by the plugin, bypassing the access control the site administrator intended to enforce. On sites that use WP Directory Kit to gate listings behind authentication or membership, this results in uncontrolled disclosure of records that the owner never meant to expose publicly.