PatchSiren cyber security CVE debrief
CVE-2026-39531 Wp Directory Kit CVE debrief
CVE-2026-39531 is a critical blind SQL injection issue affecting the WP Directory Kit plugin through version 1.5.0. The vulnerability was published on 2026-05-21 and has a CVSS 3.1 score of 9.3, with NVD listing the record as Deferred. Because the supplied source attribution is incomplete, the vendor identity should be treated carefully and validated against the linked Patchstack reference before making operational decisions.
- Vendor
- Wp Directory Kit
- Product
- Unknown
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and security teams responsible for WordPress sites running WP Directory Kit, especially environments that expose the plugin to untrusted web traffic. Managed hosting providers and incident response teams should also review exposure because the CVSS vector indicates network-based, unauthenticated access.
Technical summary
The source corpus describes an Improper Neutralization of Special Elements used in an SQL Command (CWE-89) issue leading to blind SQL injection in WP Directory Kit, affecting versions from n/a through 1.5.0. The NVD record lists the attack vector as network-based with no privileges or user interaction required, and the CVSS scope is changed, with high confidentiality impact and low availability impact. No exploit details are provided in the supplied sources, so assessment should remain limited to the documented injection class and affected version range.
Defensive priority
High. The combination of critical severity, unauthenticated network exposure, and database-related impact warrants prompt verification of affected installations and immediate remediation planning.
Recommended defensive actions
- Confirm whether WP Directory Kit is installed anywhere in your WordPress estate and identify all versions in use.
- Treat versions through 1.5.0 as affected until validated otherwise.
- Review the linked Patchstack advisory for vendor guidance, upgrade information, or mitigations.
- Apply the vendor-recommended fix or remove the plugin from exposed systems if no safe update is available.
- Restrict access and monitor for anomalous database queries or unusual application behavior while remediation is underway.
- Reassess after patching to ensure no remaining instances of the affected plugin version exist.
Evidence notes
Evidence is limited to the NVD CVE record and a single Patchstack reference URL. NVD describes the issue as blind SQL injection (CWE-89), assigns CVSS 3.1 9.3, and marks the vuln status as Deferred. The vendor field in the supplied data is low confidence and should not be treated as authoritative without further validation from the linked advisory.
Official resources
-
CVE-2026-39531 CVE record
CVE.org
-
CVE-2026-39531 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
Published on 2026-05-21 at 16:16:23.030Z and last modified the same day at 19:10:36.607Z. NVD reflects the record on 2026-05-21 and marks the vulnerability status as Deferred.