Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection.

This issue affects Directorist Booking: from n/a through 3.0.3.
Published: 2026-06-16
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to execute arbitrary SQL commands through the Directorist Booking plugin’s handling of user input. The flaw arises from improper neutralization of special characters when constructing SQL statements, enabling Blind SQL Injection. An attacker could gain unauthorized access to the database, exfiltrate sensitive data, or modify records, potentially leading to loss of confidentiality and integrity of the site’s data.

Affected Systems

WordPress installations that use the wpWax Directorist Booking plugin with a version of 3.0.3 or earlier are impacted. Site owners and administrators should verify the plugin version in use and be aware that any deployment of the plugin before the 3.0.4 release remains susceptible.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity with potential for remote compromise. The EPSS score of less than 1% suggests that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be through malicious input to the booking feature or related API endpoints, as the flaw permits Blind SQL Injection via crafted requests.

Generated by OpenCVE AI on June 17, 2026 at 19:30 UTC.

Remediation

Vendor Solution

Update the WordPress Directorist Booking Plugin to the latest available version (at least 3.0.4).


OpenCVE Recommended Actions

  • Update the Directorist Booking Plugin to version 3.0.4 or later to remove the vulnerable code.
  • If an upgrade cannot be performed immediately, restrict database privileges for the plugin’s database user and block direct HTTP access to plugin administration paths using server‑side rules.
  • Apply rigorous input validation or parameterized queries on booking form fields to mitigate injection until the official patch is installed.

Generated by OpenCVE AI on June 17, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpwax
Wpwax directorist
Vendors & Products Wordpress
Wordpress wordpress
Wpwax
Wpwax directorist

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3.
Title WordPress Directorist Booking plugin <= 3.0.3 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Wordpress Wordpress
Wpwax Directorist
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:36:08.850Z

Reserved: 2026-05-27T10:27:01.186Z

Link: CVE-2026-49073

cve-icon Vulnrichment

Updated: 2026-06-17T10:36:04.158Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')