Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Remote network reach, authenticated low-priv user typical of booking plugins, blind SQLi reads cross-component DB data (S:C, C:H); no integrity or availability impact described.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection.
This issue affects Directorist Booking: from n/a through 3.0.3.
AnalysisAI
Blind SQL injection in the wpWax Directorist Booking WordPress plugin (versions up to and including 3.0.3) allows authenticated low-privilege users to issue crafted database queries that exfiltrate data across trust boundaries. The CVSS 3.1 score of 8.5 reflects a scope change (S:C) with high confidentiality impact, indicating the affected database context exposes data beyond the plugin's own component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Directorist Booking is an add-on for the Directorist WordPress directory/listing ecosystem developed by wpWax (CPE cpe:2.3:a:wpwax:directorist_booking:*). The root cause is CWE-89, Improper Neutralization of Special Elements used in an SQL Command, manifesting as a blind variant - meaning the application does not return query results directly, so attackers infer data through boolean conditions, time delays, or error-based side channels. In WordPress plugins this class of bug typically arises when user-supplied parameters (booking filters, IDs, search fields) are concatenated into wpdb queries without using $wpdb->prepare() or proper placeholder binding, allowing attackers to break out of the intended SQL context against the shared WordPress database.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data - the EUVD range terminates at 3.0.3 without an explicit fixed-in version, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/directorist-booking/vulnerability/wordpress-directorist-booking-plugin-3-0-3-sql-injection-vulnerability and the wpWax vendor page for the latest version greater than 3.0.3 and upgrade as soon as one is published. Until then, defensive options include deactivating the Directorist Booking plugin if it is not business-critical (loss: booking functionality is removed), restricting account self-registration so untrusted users cannot obtain the low-privilege session that PR:L requires (loss: friction for legitimate signups), and deploying a WordPress-aware WAF rule (Patchstack, Wordfence, Sucuri) targeting SQLi payloads against the plugin's request endpoints (caveat: blind SQLi payloads using boolean/time techniques can evade naive signature rules, so virtual patching should be paired with database query logging and review).
More in Directorist Booking
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37501