Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Directorist Booking allows SQL Injection.This issue affects Directorist Booking: from n/a before 3.0.2.
AnalysisAI
Unauthenticated SQL injection in Directorist Booking WordPress plugin allows remote attackers to extract sensitive database contents and cause limited denial of service. The vulnerability affects all versions prior to 3.0.2 and can be exploited remotely with low complexity and no authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Patchstack has published details confirming the vulnerability exists in version 2.4.1 and earlier, with a vendor-released patch available in version 3.0.2. No CISA KEV listing or public exploit code identified at time of analysis.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) in the Directorist Booking plugin for WordPress. The affected software component is identified via CPE as directorist_booking:directorist_booking, a WordPress plugin that handles booking functionality for directory listings. SQL injection occurs when user-supplied input is improperly sanitized before being incorporated into SQL queries, allowing attackers to inject malicious SQL commands. The CVSS vector indicates a Changed scope (S:C), suggesting the vulnerability allows attackers to access resources beyond the plugin's normal security boundary, potentially affecting the entire WordPress database. The High confidentiality impact (C:H) combined with Low availability impact (A:L) suggests attackers can extract data and potentially cause database performance degradation or partial service disruption through resource-intensive queries.
RemediationAI
Upgrade Directorist Booking plugin to version 3.0.2 or later immediately via the WordPress admin dashboard (Plugins > Installed Plugins > Directorist Booking > Update Now) or by downloading from the official WordPress plugin repository. Version 3.0.2 contains vendor-released patches that properly sanitize SQL inputs per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/directorist-booking/vulnerability/wordpress-directorist-booking-plugin-2-4-1-sql-injection-vulnerability?_s_id=cve. If immediate patching is not feasible, implement compensating controls with understanding of their limitations: disable the Directorist Booking plugin entirely until patched (eliminates attack surface but breaks booking functionality for site visitors), restrict WordPress admin access to trusted IP addresses only via .htaccess or firewall rules (does not prevent exploitation since vulnerability is unauthenticated and affects public-facing endpoints), deploy a Web Application Firewall with SQL injection signatures (may reduce automated exploitation but sophisticated attackers can bypass WAF filters, and creates false positive management overhead). Note that database-level permissions restrictions cannot mitigate this vulnerability since the WordPress database user requires read access for normal plugin operation.
More in Directorist Booking
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25813