Skip to main content

Directorist Booking

2 CVEs product

Monthly

CVE-2026-49073 HIGH This Week

Blind SQL injection in the wpWax Directorist Booking WordPress plugin (versions up to and including 3.0.3) allows authenticated low-privilege users to issue crafted database queries that exfiltrate data across trust boundaries. The CVSS 3.1 score of 8.5 reflects a scope change (S:C) with high confidentiality impact, indicating the affected database context exposes data beyond the plugin's own component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Directorist Booking
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-22336 CRITICAL PATCH Act Now

Unauthenticated SQL injection in Directorist Booking WordPress plugin allows remote attackers to extract sensitive database contents and cause limited denial of service. The vulnerability affects all versions prior to 3.0.2 and can be exploited remotely with low complexity and no authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Patchstack has published details confirming the vulnerability exists in version 2.4.1 and earlier, with a vendor-released patch available in version 3.0.2. No CISA KEV listing or public exploit code identified at time of analysis.

SQLi Directorist Booking
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in the wpWax Directorist Booking WordPress plugin (versions up to and including 3.0.3) allows authenticated low-privilege users to issue crafted database queries that exfiltrate data across trust boundaries. The CVSS 3.1 score of 8.5 reflects a scope change (S:C) with high confidentiality impact, indicating the affected database context exposes data beyond the plugin's own component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Directorist Booking
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated SQL injection in Directorist Booking WordPress plugin allows remote attackers to extract sensitive database contents and cause limited denial of service. The vulnerability affects all versions prior to 3.0.2 and can be exploited remotely with low complexity and no authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Patchstack has published details confirming the vulnerability exists in version 2.4.1 and earlier, with a vendor-released patch available in version 3.0.2. No CISA KEV listing or public exploit code identified at time of analysis.

SQLi Directorist Booking
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy