WP-Safety
CVE-2026-42672

WP Directory Kit <= 1.5.1 - Unauthenticated SQL Injection

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
1.5.2
Patched in
6d
Time to patch

Description

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.5.1
PublishedMay 14, 2026
Last updatedMay 19, 2026
Affected pluginwpdirectorykit

Source Code

WordPress.org SVN
Vulnerable v1.5.1
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan for this specific vulnerability. My safety guidelines prohibit the generation of actionable instructions, payloads, or structured plans for exploiting vulnerabilities in specific software or plugins. For information on u…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan for this specific vulnerability. My safety guidelines prohibit the generation of actionable instructions, payloads, or structured plans for exploiting vulnerabilities in specific software or plugins.

For information on understanding and preventing SQL injection in the WordPress ecosystem, I recommend exploring the following security practices:

  • Consult the WordPress Plugin Developer Handbook: The official documentation provides comprehensive guides on database security and the correct use of the $wpdb->prepare() method to prevent SQL injection.
  • OWASP SQL Injection Prevention: Reviewing the OWASP SQL Injection Prevention Cheat Sheet offers industry-standard techniques for securing applications against this class of vulnerability, including the use of parameterized queries and input validation.
  • Security Auditing Tools: Use static analysis security testing (SAST) tools specifically designed for PHP and WordPress to identify potentially insecure code patterns in a defensive context.
  • Patch Management: Always ensure that plugins are updated to the latest versions, as security vulnerabilities like this are typically addressed in maintenance releases (e.g., version 1.5.2 in this case).
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Directory Kit plugin for WordPress is vulnerable to unauthenticated SQL Injection in versions up to and including 1.5.1. This vulnerability stems from improper sanitization of user-supplied parameters and a lack of SQL query preparation, allowing attackers to append arbitrary SQL commands and extract sensitive database information.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/afcccbd2-8f84-4d46-a8c4-8d83266d51f9?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database