Skip to main content

WP Directory Kit CVE-2026-42672

| EUVDEUVD-2026-33691 CRITICAL
SQL Injection (CWE-89)
2026-06-01 Patchstack GHSA-6w2j-fvqj-5fjx
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 17:15 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection.

This issue affects WP Directory Kit: from n/a through 1.5.1.

AnalysisAI

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.1) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, enabling extraction of database contents and limited tampering with site availability. The CVSS 9.3 score reflects network-reachable exploitation with no privileges or user interaction and a scope change into the WordPress database context; no public exploit identified at time of analysis, though Patchstack has cataloged the flaw.

Technical ContextAI

WP Directory Kit is a WordPress plugin (CPE cpe:2.3:a:wp_directory_kit:wp_directory_kit) used to build directory listings inside WordPress sites. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input is concatenated into a SQL query without parameterized binding or proper escaping via wpdb->prepare(). Because the variant is blind SQL injection, the vulnerable endpoint does not echo query results directly; attackers infer data through boolean/time-based side channels against the underlying MySQL/MariaDB database that backs WordPress.

RemediationAI

Patch available per vendor advisory: upgrade WP Directory Kit beyond 1.5.1 to the fixed release listed in the Patchstack entry at https://patchstack.com/database/wordpress/plugin/wpdirectorykit/vulnerability/wordpress-wp-directory-kit-plugin-1-5-1-sql-injection-vulnerability; the exact patched version number is not stated in the input data, so confirm against the advisory before deploying. If immediate upgrade is not possible, deactivate the WP Directory Kit plugin until patched (trade-off: directory listing pages will return 404 or blank), or front the site with a WAF such as Patchstack, Wordfence, or Cloudflare with SQLi rules tuned for the plugin's request paths (trade-off: rule bypasses are common against blind SQLi and false positives may break legitimate directory search/filter parameters). Additionally, restrict database user privileges so the WordPress DB account cannot read tables outside the WordPress schema, reducing data exposure from any future SQLi.

CVE-2024-3217 HIGH
8.8 Apr 05

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' and 'attribute_id' pa

CVE-2025-13390 CRITICAL POC
10.0 Dec 03

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1

CVE-2023-2278 CRITICAL POC
9.8 Jun 13

The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9

CVE-2023-2351 MEDIUM POC
6.5 Jun 13

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a m

CVE-2023-2835 MEDIUM POC
6.1 Jun 02

The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in

CVE-2023-2277 MEDIUM POC
6.1 Jun 13

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,

CVE-2026-39531 CRITICAL
9.3 May 21

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.0) allows remote unauthen

CVE-2026-39534 HIGH
7.5 Jun 15

Unauthenticated broken access control in the WP Directory Kit WordPress plugin (versions ≤ 1.5.0) allows remote attacker

CVE-2024-29774 HIGH
7.1 Mar 27

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpDirectoryKit WP

CVE-2023-2280 MEDIUM
6.5 Jun 09

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a m

CVE-2024-37487 MEDIUM
6.1 Jul 21

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpdirectory

CVE-2023-2279 MEDIUM
5.4 Aug 31

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,

Share

CVE-2026-42672 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy