Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection.

This issue affects WP Directory Kit: from n/a through 1.5.1.
Published: 2026-06-01
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements used in an SQL command in WP Directory Kit allows blind SQL injection. This can enable an attacker to read, modify, or delete database contents, potentially exposing sensitive user data or corrupting site data. The weakness is classified as CWE-89.

Affected Systems

WordPress sites that use WP Directory Kit plugin version 1.5.1 or earlier are affected. All installations of the plugin from its earliest release through 1.5.1 are vulnerable.

Risk and Exploitability

The CVSS score of 9.3 identifies it as critical. EPSS information is unavailable, making precise exploitation probability uncertain. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the web interface, where a remote attacker can submit crafted requests to the plugin’s endpoints to perform blind SQL injection when the plugin processes unsanitized input.

Generated by OpenCVE AI on June 1, 2026 at 18:40 UTC.

Remediation

Vendor Solution

Update the WordPress WP Directory Kit Plugin to the latest available version (at least 1.5.2).

OpenCVE Recommended Actions

  • Update the WP Directory Kit plugin to version 1.5.2 or later.
  • Limit the database account used by WordPress to only the privileges required for normal operation, such as restricting write access to essential tables.
  • Monitor web application logs and database activity for anomalous queries or attempted data exfiltration, and consider deploying a WAF rule that blocks suspicious SQL patterns.

Generated by OpenCVE AI on June 1, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.1.
Title WordPress WP Directory Kit plugin <= 1.5.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-01T17:06:25.777Z

Reserved: 2026-04-29T09:04:52.624Z

Link: CVE-2026-42672

cve-icon Vulnrichment

Updated: 2026-06-01T17:06:19.630Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:16:59.667

Modified: 2026-06-01T17:57:16.380

Link: CVE-2026-42672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T18:45:34Z

Weaknesses