Impact
This vulnerability allows an attacker to execute arbitrary SQL commands through the Directorist Booking plugin’s handling of user input. The flaw arises from improper neutralization of special characters when constructing SQL statements, enabling Blind SQL Injection. An attacker could gain unauthorized access to the database, exfiltrate sensitive data, or modify records, potentially leading to loss of confidentiality and integrity of the site’s data.
Affected Systems
WordPress installations that use the wpWax Directorist Booking plugin with a version of 3.0.3 or earlier are impacted. Site owners and administrators should verify the plugin version in use and be aware that any deployment of the plugin before the 3.0.4 release remains susceptible.
Risk and Exploitability
The CVSS score of 8.5 indicates a high severity with potential for remote compromise. The EPSS score of less than 1% suggests that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be through malicious input to the booking feature or related API endpoints, as the flaw permits Blind SQL Injection via crafted requests.
OpenCVE Enrichment