Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection.

This issue affects WP Directory Kit: from n/a through 1.5.0.
Published: 2026-05-21
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of special elements in SQL commands, enabling a blind SQL injection through the WordPress WP Directory Kit plugin. This vulnerability allows an attacker to infer database contents, extract sensitive data, and potentially modify or delete database records, leading to a data breach and integrity compromise. The impact can be significant, as attackers can obtain confidential information or manipulate the site’s data base without direct code execution. Based on the description, it is inferred that the attack vector is remote via web input fields provided by the plugin, with no authentication required if the plugin is publicly accessible.

Affected Systems

WordPress sites running the WP Directory Kit plugin version 1.5.0 or earlier are affected. The vulnerability applies to all installations using this plugin from its inception through the specified version, regardless of other WordPress configuration details.

Risk and Exploitability

The CVSS score of 9.3 categorizes this issue as critical. Although no EPSS score is available, the lack of protection against blind SQL injection suggests that exploitation is feasible with standard techniques. It is not listed in CISA KEV, so no known exploits have been reported, but the high severity and remote attack possibility warrant immediate attention. The most likely attack path involves submitting crafted input data to the plugin’s endpoints to trigger the injection.

Generated by OpenCVE AI on May 21, 2026 at 17:50 UTC.

Remediation

Vendor Solution

Update the WordPress WP Directory Kit Plugin to the latest available version (at least 1.5.1).

OpenCVE Recommended Actions

  • Apply official patch by updating the WP Directory Kit plugin to version 1.5.1 or higher.
  • Restrict the plugin’s API endpoints to authenticated users and remove or disable any public‑facing forms that accept input.
  • If updating is not immediately feasible, deploy a web application firewall rule or .htaccess restriction to block suspicious queries against the plugin’s URLs as a temporary workaround while awaiting the patch.

Generated by OpenCVE AI on May 21, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdirectorykit
Wpdirectorykit wp Directory Kit
Vendors & Products Wordpress
Wordpress wordpress
Wpdirectorykit
Wpdirectorykit wp Directory Kit

Thu, 21 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.0.
Title WordPress WP Directory Kit plugin <= 1.5.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
Wpdirectorykit Wp Directory Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-21T15:56:39.967Z

Reserved: 2026-04-07T10:48:09.605Z

Link: CVE-2026-39531

cve-icon Vulnrichment

Updated: 2026-05-21T15:56:34.181Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T16:16:23.030

Modified: 2026-05-21T19:10:36.607

Link: CVE-2026-39531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:30:27Z

Weaknesses