CVE-2026-39531

Vulnerability

CVE-2026-39531 is a blind SQL injection vulnerability in the WP Directory Kit plugin for WordPress, affecting versions through 1.5.0. The plugin fails to properly neutralize special elements used in SQL commands, allowing an attacker to inject malicious SQL queries into the database backend. This class of flaw is classified as Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

Exploitation

The vulnerability can be exploited without authentication, making it accessible to any remote attacker who can send crafted HTTP requests to a vulnerable WordPress site. Blind SQL injection techniques allow the attacker to infer information from the database by observing differences in application responses, even when error messages are suppressed. The public advisory flags this issue as highly dangerous and expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation permits an attacker to directly interact with the database, enabling theft of sensitive data such as user credentials, personal information, and configuration details. As the CVSS v3 base score is 9.3 (Critical), the potential for data compromise and website takeover is severe [1].

Mitigation

The vendor has released version 1.5.1, which patches the vulnerability. Users are strongly advised to update immediately. For those unable to update, third-party firewall rules (e.g., from Patchstack) can provide a temporary mitigation by blocking SQL injection attack patterns until the update is applied [1].