CVE-2026-54831: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.162 Unauthenticated SQL Injection PoC, Patch Analysis & Rule

“`json
{
“analysis”: “Atomic Edge analysis of CVE-2026-54831: GeoDirectory plugin version 2.8.162 and earlier contains an unauthenticated SQL injection vulnerability in the search functionality. This allows attackers to extract sensitive database information through crafted search queries. The vulnerability has a CVSS score of 7.5.nnThe root cause is insufficient input sanitization and unsafe SQL query construction in the `geodir-search` feature. The vulnerable code resides in `wp-content/plugins/geodirectory/includes/class-geodir-query.php` at lines 519-669. The function mishandles the search term variables `$s` and `$s_A`. In the vulnerable version, `$s_A` is passed through `wp_specialchars_decode()` but is then inserted directly into a SQL query on line 669 without proper parameterization via `$wpdb->prepare()`. The `$s_A` variable gets embedded into the `IN ($s_A)` clause, bypassing the `%s` placeholder. This allows SQL injection when the search term contains an ampersand character `&`.nnAn unauthenticated attacker can exploit this by sending a GET request to the WordPress site with a crafted search parameter `s` containing an ampersand along with injected SQL syntax. For example, the parameter `s=1&1=1 UNION SELECT …` triggers the vulnerable code path where `$s_A` receives the unparameterized value. The specific request path requires triggering the search endpoint that uses the GeoDirectory search widget or shortcode. The `strpos($s, ‘&’)` check on line 666 in the patched version indicates the vulnerability is triggered when the search term contains a literal ampersand character.nnThe patch in version 2.8.163 addresses the vulnerability by removing the `wp_specialchars_decode()` call on `$s_A` (commented out on line 522). This prevents HTML entity decoding that could transform encoded ampersands into raw ones. Additionally, the patch adds explicit handling for search terms containing an ampersand by checking `strpos($s, ‘&’)`. When an ampersand is present, the code now escapes the `$s_A` variable using `str_replace()` to convert ampersands to HTML entities before insertion into the `IN ()` clause. This ensures the database receives safe, expected values rather than interpreted SQL.nnSuccessful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the WordPress database. This can lead to complete data disclosure including usernames, password hashes, session tokens, and other sensitive information stored in the database. The SQL injection can also be used to modify database content, potentially leading to privilege escalation or full site compromise. Since the vulnerability requires no authentication, it poses a significant risk to all sites running the vulnerable plugin version.”,
“poc_php”: “n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-54831n# Block unauthenticated SQL injection via the GeoDirectory search parameter `s` with ampersand.n# This rule matches requests to the WordPress main query with `geodir_search=1` and a search term containing an ampersand used for SQL injection.nnSecRule REQUEST_URI “@contains /” \n “id:202654831,phase:2,deny,status:403,msg:’CVE-2026-54831 GeoDirectory SQL Injection Attempt’,severity:’CRITICAL’,tag:’CVE-2026-54831′,chain”n SecRule ARGS_GET:geodir_search “@streq 1” “chain”n SecRule ARGS_GET:s “@rx [&]+.*(?:SELECT|UNION|INSERT|UPDATE|DELETE|DROP|OR|AND)” “t:urlDecode”n”
“`