Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Directorist Booking allows SQL Injection.This issue affects Directorist Booking: from n/a before 3.0.2.
Published: 2026-04-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

Improper neutralization of special elements used in an SQL command allows attackers to inject arbitrary SQL queries through Directorist Booking input fields. Such injection can lead to unauthorized data retrieval, modification, or deletion, compromising the confidentiality, integrity, and availability of the WordPress site's data.

Affected Systems

The vulnerability affects the Directorist Booking WordPress plugin in all versions prior to 3.0.2. Any WordPress installation that has a Directorist Booking plugin older than 3.0.2 is vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates high severity, while the EPSS score of less than 1% suggests a low but non‑zero exploitation probability. The plugin does not appear in the CISA KEV catalog. Attackers can exploit the flaw through network access to the WordPress site, sending malicious input via the booking form or related URLs. The attack vector is inferred to be remote web based, impacting only the affected plugin and potentially the entire WordPress database.

Generated by OpenCVE AI on April 28, 2026 at 13:06 UTC.

Remediation

Vendor Solution

Update the WordPress Directorist Booking plugin to the latest available version (at least 3.0.2).

OpenCVE Recommended Actions

  • Update the Directorist Booking plugin to version 3.0.2 or newer.
  • Disable or uninstall the plugin until the patch is installed.
  • Implement a web application firewall rule set to detect and block SQL injection patterns against the booking endpoints.

Generated by OpenCVE AI on April 28, 2026 at 13:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Directorist Booking
Directorist Booking directorist Booking
Wordpress
Wordpress wordpress
Vendors & Products Directorist Booking
Directorist Booking directorist Booking
Wordpress
Wordpress wordpress

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Directorist Booking allows SQL Injection.This issue affects Directorist Booking: from n/a before 3.0.2.
Title WordPress Directorist Booking plugin < 3.0.2 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Directorist Booking Directorist Booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:40.732Z

Reserved: 2026-01-07T12:21:11.735Z

Link: CVE-2026-22336

cve-icon Vulnrichment

Updated: 2026-04-27T13:42:28.057Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T11:16:00.610

Modified: 2026-04-27T18:37:59.213

Link: CVE-2026-22336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses