Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39534

CVE-2026-39534: WP Directory Kit Auth Bypass Vulnerability

CVE-2026-39534 is an authentication bypass flaw in WP Directory Kit plugin versions 1.5.0 and earlier that allows unauthenticated attackers to exploit broken access control. This article covers technical details.

Published:

CVE-2026-39534 Overview

CVE-2026-39534 is an unauthenticated broken access control vulnerability affecting the WP Directory Kit WordPress plugin in versions up to and including 1.5.0. The flaw is classified under CWE-862: Missing Authorization, meaning the plugin fails to verify that a requester is authorized to perform sensitive operations. Attackers can exploit this issue remotely over the network without credentials or user interaction. Successful exploitation results in unauthorized access to directory data that should otherwise be protected by access control checks.

Critical Impact

Remote attackers can access protected directory functionality without authentication, exposing confidential information stored in affected WordPress sites running WP Directory Kit <= 1.5.0.

Affected Products

  • WP Directory Kit WordPress plugin versions <= 1.5.0
  • WordPress sites with the vulnerable plugin installed and activated
  • Any deployment of the plugin reachable from the public internet

Discovery Timeline

  • 2026-06-15 - CVE-2026-39534 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-39534

Vulnerability Analysis

The vulnerability resides in the access control logic of the WP Directory Kit plugin. The plugin exposes functionality that should require authentication or capability checks, but those checks are missing or improperly enforced. As a result, unauthenticated HTTP requests can reach handlers that perform privileged operations or return privileged data.

The issue maps to CWE-862 (Missing Authorization). According to the Patchstack Vulnerability Report, the affected confidentiality impact is high, while integrity and availability remain unaffected. The EPSS score is 0.306% at the 22.049 percentile as of 2026-06-18.

Root Cause

The root cause is the absence of proper authorization checks on plugin endpoints. WordPress plugins typically enforce access using current_user_can(), nonce validation through check_ajax_referer(), or capability gates on AJAX and REST routes. WP Directory Kit does not consistently apply these checks before executing sensitive handlers, allowing anonymous requests to invoke them.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker sends crafted HTTP requests to vulnerable plugin endpoints, such as admin-ajax.php actions or custom REST routes registered by the plugin. Because the handlers do not verify the caller's identity or capabilities, the server processes the request and returns protected directory data to the attacker.

The vulnerability manifests when the plugin registers an action handler without an accompanying authorization check. Refer to the Patchstack advisory for technical specifics of the affected endpoints.

Detection Methods for CVE-2026-39534

Indicators of Compromise

  • Anonymous HTTP POST requests to wp-admin/admin-ajax.php referencing WP Directory Kit actions from external IP addresses
  • Unusual REST API calls to plugin-specific routes under /wp-json/ without authentication cookies or nonces
  • Spikes in outbound responses containing directory records to single source IPs
  • Web server access logs showing repeated requests to plugin endpoints with varying parameters indicative of enumeration

Detection Strategies

  • Inspect WordPress access logs for unauthenticated requests targeting wpdirectorykit action names or REST namespaces
  • Deploy web application firewall (WAF) rules to flag requests to plugin endpoints lacking valid authentication cookies
  • Monitor for response payloads exceeding expected size when returned to unauthenticated sessions
  • Cross-reference user-agent strings and source IPs against known scanning infrastructure

Monitoring Recommendations

  • Enable verbose logging on admin-ajax.php and REST API endpoints to capture full request context
  • Forward WordPress and web server logs to a centralized SIEM for correlation with threat intelligence feeds
  • Establish baselines for legitimate plugin traffic and alert on deviations
  • Track plugin version inventories across managed WordPress instances to identify exposure

How to Mitigate CVE-2026-39534

Immediate Actions Required

  • Identify all WordPress sites running WP Directory Kit version 1.5.0 or earlier
  • Update the plugin to the patched version released after 1.5.0 as referenced in the Patchstack advisory
  • Audit logs for prior unauthenticated requests to plugin endpoints to determine potential exposure
  • Restrict administrative access and rotate any credentials that may have been exposed through the directory

Patch Information

A fixed version is referenced through the Patchstack Vulnerability Report. Administrators should upgrade WP Directory Kit to the latest version available from the WordPress plugin repository and verify the new version is greater than 1.5.0.

Workarounds

  • Deactivate and remove the WP Directory Kit plugin until the patched version can be applied
  • Apply WAF rules to block unauthenticated requests to plugin AJAX actions and REST routes
  • Restrict access to the affected WordPress site by IP allowlist while remediation is performed
  • Use a managed WordPress security service such as Patchstack to apply virtual patching until the official update is deployed

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne