Directorist Booking
Monthly
Blind SQL injection in the wpWax Directorist Booking WordPress plugin (versions up to and including 3.0.3) allows authenticated low-privilege users to issue crafted database queries that exfiltrate data across trust boundaries. The CVSS 3.1 score of 8.5 reflects a scope change (S:C) with high confidentiality impact, indicating the affected database context exposes data beyond the plugin's own component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated SQL injection in Directorist Booking WordPress plugin allows remote attackers to extract sensitive database contents and cause limited denial of service. The vulnerability affects all versions prior to 3.0.2 and can be exploited remotely with low complexity and no authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Patchstack has published details confirming the vulnerability exists in version 2.4.1 and earlier, with a vendor-released patch available in version 3.0.2. No CISA KEV listing or public exploit code identified at time of analysis.
Blind SQL injection in the wpWax Directorist Booking WordPress plugin (versions up to and including 3.0.3) allows authenticated low-privilege users to issue crafted database queries that exfiltrate data across trust boundaries. The CVSS 3.1 score of 8.5 reflects a scope change (S:C) with high confidentiality impact, indicating the affected database context exposes data beyond the plugin's own component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated SQL injection in Directorist Booking WordPress plugin allows remote attackers to extract sensitive database contents and cause limited denial of service. The vulnerability affects all versions prior to 3.0.2 and can be exploited remotely with low complexity and no authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Patchstack has published details confirming the vulnerability exists in version 2.4.1 and earlier, with a vendor-released patch available in version 3.0.2. No CISA KEV listing or public exploit code identified at time of analysis.