Skip to main content

Directorist Booking CVE-2026-22336

| EUVDEUVD-2026-25813 CRITICAL
SQL Injection (CWE-89)
2026-04-27 Patchstack
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 27, 2026 - 18:52 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 18:37 nvd
Patch available
Patch available
Apr 27, 2026 - 12:01 EUVD
Analysis Generated
Apr 27, 2026 - 11:30 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 11:00 euvd
EUVD-2026-25813
Analysis Generated
Apr 27, 2026 - 11:00 vuln.today
CVE Published
Apr 27, 2026 - 10:24 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Directorist Booking allows SQL Injection.This issue affects Directorist Booking: from n/a before 3.0.2.

AnalysisAI

Unauthenticated SQL injection in Directorist Booking WordPress plugin allows remote attackers to extract sensitive database contents and cause limited denial of service. The vulnerability affects all versions prior to 3.0.2 and can be exploited remotely with low complexity and no authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Patchstack has published details confirming the vulnerability exists in version 2.4.1 and earlier, with a vendor-released patch available in version 3.0.2. No CISA KEV listing or public exploit code identified at time of analysis.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-89) in the Directorist Booking plugin for WordPress. The affected software component is identified via CPE as directorist_booking:directorist_booking, a WordPress plugin that handles booking functionality for directory listings. SQL injection occurs when user-supplied input is improperly sanitized before being incorporated into SQL queries, allowing attackers to inject malicious SQL commands. The CVSS vector indicates a Changed scope (S:C), suggesting the vulnerability allows attackers to access resources beyond the plugin's normal security boundary, potentially affecting the entire WordPress database. The High confidentiality impact (C:H) combined with Low availability impact (A:L) suggests attackers can extract data and potentially cause database performance degradation or partial service disruption through resource-intensive queries.

RemediationAI

Upgrade Directorist Booking plugin to version 3.0.2 or later immediately via the WordPress admin dashboard (Plugins > Installed Plugins > Directorist Booking > Update Now) or by downloading from the official WordPress plugin repository. Version 3.0.2 contains vendor-released patches that properly sanitize SQL inputs per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/directorist-booking/vulnerability/wordpress-directorist-booking-plugin-2-4-1-sql-injection-vulnerability?_s_id=cve. If immediate patching is not feasible, implement compensating controls with understanding of their limitations: disable the Directorist Booking plugin entirely until patched (eliminates attack surface but breaks booking functionality for site visitors), restrict WordPress admin access to trusted IP addresses only via .htaccess or firewall rules (does not prevent exploitation since vulnerability is unauthenticated and affects public-facing endpoints), deploy a Web Application Firewall with SQL injection signatures (may reduce automated exploitation but sophisticated attackers can bypass WAF filters, and creates false positive management overhead). Note that database-level permissions restrictions cannot mitigate this vulnerability since the WordPress database user requires read access for normal plugin operation.

Share

CVE-2026-22336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy