Description
The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-04-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection with potential data exfiltration
Action: Immediate Upgrade
AI Analysis

Impact

The vulnerability resides in the DirectoryPress WordPress plugin where the 'packages' parameter is concatenated directly into an SQL statement without proper escaping or parameterization. An attacker can inject arbitrary SQL into this parameter, causing adjacent queries to execute. Successful exploitation could allow extraction of sensitive data from the site’s database, undermining confidentiality and potentially enabling further compromise.

Affected Systems

The affected product is DirectoryPress – Business Directory And Classified Ad Listing from designinvento, with all published releases up to and including version 3.6.26 impacted. No newer version is listed in the data, so any installation of 3.6.26 or earlier must be considered vulnerable unless the vendor has issued a patch beyond this version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability that can be exploited over the web without authentication. EPSS is not available, and the issue is not catalogued in the KEV list, but the lack of required credentials and the potential for data extraction make it a significant risk. An unauthenticated attacker who can reach the affected endpoint can inject SQL statements and retrieve database contents, so the attack vector is likely via a standard HTTP request targeting the plugin’s endpoint.

Generated by OpenCVE AI on April 17, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the DirectoryPress plugin to a version newer than 3.6.26, ensuring that the update includes proper input sanitization and query parameterization.
  • If no patch is available or upgrade is impractical, modify the plugin code to escape or parameterize the 'packages' input, or replace the vulnerable query with a prepared statement that disallows arbitrary SQL.
  • Block or restrict access to the endpoint that processes the 'packages' parameter using web‑application firewalls or server configuration rules to deny unauthenticated requests.
  • Implement routine database backups and enforce the principle of least privilege on database accounts used by WordPress to limit impact if an injection is attempted.

Generated by OpenCVE AI on April 17, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Designinvento
Designinvento directorypress – Business Directory And Classified Ad Listing
Wordpress
Wordpress wordpress
Vendors & Products Designinvento
Designinvento directorypress – Business Directory And Classified Ad Listing
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title DirectoryPress – Business Directory And Classified Ad Listing <= 3.6.26 - Unauthenticated SQL Injection via 'packages'
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Designinvento Directorypress – Business Directory And Classified Ad Listing
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T14:05:03.740Z

Reserved: 2026-03-03T16:06:12.476Z

Link: CVE-2026-3489

cve-icon Vulnrichment

Updated: 2026-04-16T14:04:56.217Z

cve-icon NVD

Status : Received

Published: 2026-04-16T12:16:08.373

Modified: 2026-04-16T12:16:08.373

Link: CVE-2026-3489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses