Attack Vectors
DirectoryPress – Business Directory And Classified Ad Listing (slug: directorypress) versions 3.6.26 and earlier are affected by a Medium-severity missing authorization issue (CVE-2026-27387, CVSS 4.3). The vulnerability allows an attacker who can log in with a low-privilege account (such as a subscriber) to trigger an action they should not be allowed to perform.
From a business-risk perspective, this means the threat is most relevant when your site permits account creation, uses memberships, or supports user logins for listings, classifieds, or partner access. The attacker does not need to trick staff into clicking anything; the primary requirement is having authenticated access at subscriber level or above.
Details: CVE-2026-27387 record.
Security Weakness
The weakness is a missing capability check (authorization control) in a plugin function in DirectoryPress – Business Directory And Classified Ad Listing up to version 3.6.26. In plain terms, the plugin does not consistently verify whether a logged-in user is permitted to perform a specific action before carrying it out.
Because the issue applies to authenticated users, it can be overlooked in organizations focused mainly on “external hacker” scenarios. However, any environment with many user accounts (customers, partners, contractors, temporary staff, or test accounts) increases exposure.
Vendor/analysis source: Wordfence vulnerability report.
Technical or Business Impacts
Although rated Medium severity, missing authorization vulnerabilities can create meaningful business risk because they undermine the integrity of workflows and content. With subscriber-level access and above, an attacker may be able to perform an unauthorized action within the plugin’s feature set, potentially affecting how listings, ads, or related operational data are managed.
Potential business impacts include reduced trust in site content, operational disruption for teams managing listings/classifieds, and increased compliance and audit burden if unauthorized changes affect customer-facing information or regulated communications. This can also translate into brand risk if inaccurate or unauthorized content appears on high-visibility pages.
Recommended action: Update DirectoryPress – Business Directory And Classified Ad Listing to version 3.6.27 or newer (patched). As a governance step, review who has accounts on the site, remove dormant users, and ensure subscriber-level access is granted only where truly necessary.
Similar Attacks
Authorization gaps—where a system fails to confirm a user is allowed to perform an action—are a common root cause behind real-world incidents and high-profile categories of web application risk. For additional context, see these widely recognized examples and references:
OWASP Top 10: Broken Access Control
CISA: Web application security risks (overview)
Recent Comments