{"id":"CVE-2025-12833","details":"The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.","modified":"2026-04-10T05:21:55.594612Z","published":"2025-11-12T05:15:41.940Z","references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393024%40geodirectory&new=3393024%40geodirectory&sfp_email=&sfph_mail="},{"type":"WEB","url":"https://wordpress.org/plugins/geodirectory/"},{"type":"WEB","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve"},{"type":"FIX","url":"https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ayecode/geodirectory","events":[{"introduced":"0"},{"fixed":"db655b04be32a160c0abf73217faf0a50585aa92"}]}],"versions":["1.3.8","1.5.7","1.5.8","1.5.9","1.6.0","1.6.1","1.6.10","1.6.11","1.6.12","1.6.15","1.6.16","1.6.17","1.6.18","1.6.19","1.6.2","1.6.20","1.6.21","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","2.0.0.0-beta","2.0.0.0-dev","2.0.0.0-rc","2.0.0.1-beta","2.0.0.1-dev","2.0.0.10-beta","2.0.0.100","2.0.0.101","2.0.0.11-beta","2.0.0.12-beta","2.0.0.13-beta","2.0.0.14-beta","2.0.0.15-rc","2.0.0.16-rc","2.0.0.17","2.0.0.18","2.0.0.19","2.0.0.2-beta","2.0.0.2-dev","2.0.0.20","2.0.0.21","2.0.0.22","2.0.0.23","2.0.0.24","2.0.0.25","2.0.0.26","2.0.0.27","2.0.0.28","2.0.0.29","2.0.0.3-beta","2.0.0.30","2.0.0.31","2.0.0.32","2.0.0.33","2.0.0.34","2.0.0.35","2.0.0.36","2.0.0.37","2.0.0.38","2.0.0.39","2.0.0.4-beta","2.0.0.40","2.0.0.41","2.0.0.42","2.0.0.43","2.0.0.44","2.0.0.45","2.0.0.46","2.0.0.47","2.0.0.48","2.0.0.49","2.0.0.5-beta","2.0.0.50","2.0.0.51","2.0.0.52","2.0.0.53","2.0.0.54","2.0.0.55","2.0.0.56","2.0.0.57","2.0.0.58","2.0.0.59","2.0.0.6-beta","2.0.0.60","2.0.0.61","2.0.0.62","2.0.0.63","2.0.0.64","2.0.0.65","2.0.0.66","2.0.0.67","2.0.0.68","2.0.0.69","2.0.0.7-beta","2.0.0.70","2.0.0.71","2.0.0.72","2.0.0.73","2.0.0.74","2.0.0.75","2.0.0.76","2.0.0.77","2.0.0.78","2.0.0.79","2.0.0.8-beta","2.0.0.80","2.0.0.81","2.0.0.82","2.0.0.83","2.0.0.84","2.0.0.85","2.0.0.86","2.0.0.87","2.0.0.88","2.0.0.89","2.0.0.9-beta","2.0.0.90","2.0.0.91","2.0.0.92","2.0.0.93","2.0.0.94","2.0.0.95","2.0.0.96","2.0.0.97","2.0.0.98","2.0.0.99","2.1.0.0","2.1.0.1","2.1.0.10","2.1.0.11","2.1.0.12","2.1.0.13","2.1.0.14","2.1.0.15","2.1.0.16","2.1.0.17","2.1.0.18","2.1.0.19","2.1.0.2","2.1.0.20","2.1.0.3","2.1.0.4","2.1.0.5","2.1.0.6","2.1.0.7","2.1.0.8","2.1.0.9","2.1.1.0","2.1.1.1","2.1.1.2","2.1.1.3","2.1.1.4","2.1.1.5","2.1.1.6","2.1.1.7","2.1.1.8","2.1.1.9","2.2","2.2.1","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.16","2.2.17","2.2.18","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12833.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}