CVE-2026-42672 Wp Directory Kit CVE debrief

Who should care

WordPress site administrators using WP Directory Kit plugin; security teams managing WordPress estates; hosting providers offering managed WordPress services; organizations with public-facing directory listings built on WordPress

Technical summary

The WP Directory Kit plugin for WordPress fails to properly sanitize user-supplied input before incorporating it into SQL queries. This blind SQL injection vulnerability can be exploited without authentication, allowing attackers to extract sensitive information from the database through boolean-based or time-based inference techniques. The vulnerability affects all versions from initial release through 1.5.1. The changed scope (S:C) in the CVSS vector indicates impact beyond the vulnerable component's security authority, potentially affecting other resources managed by the same security authority.

Defensive priority

critical

Recommended defensive actions

• Upgrade WP Directory Kit to a version newer than 1.5.1 if available, or remove the plugin if no patch is released
• Implement Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting WordPress directory plugins
• Apply principle of least privilege to database accounts used by WordPress installations
• Enable comprehensive logging for database queries to detect anomalous SQL patterns
• Review WordPress installation for unauthorized admin accounts or modified content that may indicate prior exploitation
• Consider database integrity verification if plugin was deployed in production prior to disclosure

Evidence notes

Vulnerability identified through Patchstack disclosure and indexed in NVD with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L vector. Vendor attribution remains under review with low confidence based on reference domain candidate evidence.

Official resources