CVE-2026-42672
No known patch is available for this vulnerability.
The affected plugin has not been updated on WordPress.org since before this CVE was disclosed; the latest installable version is still vulnerable. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The WP Directory Kit plugin for WordPress is vulnerable to blind SQL injection, allowing unauthenticated attackers to query and exfiltrate database contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WP Directory Kit plugin for WordPress is vulnerable to blind SQL injection, allowing unauthenticated attackers to query and exfiltrate database contents.
Vulnerability
The WP Directory Kit plugin for WordPress is susceptible to a blind SQL injection vulnerability due to improper neutralization of special elements used in SQL commands. This flaw exists in all versions from n/a through 1.5.1 and allows an attacker to manipulate database queries by injecting malicious SQL statements [1].
Exploitation
An attacker can exploit this vulnerability by sending crafted HTTP requests to the target site. Because the vulnerability is a blind SQL injection, the attacker does not require authentication or specific user interaction to interact with the database, making it suitable for automated mass-exploit campaigns [1].
Impact
Successful exploitation allows a malicious actor to directly interact with the underlying database. This can lead to unauthorized access to sensitive information, potentially resulting in the full disclosure of database contents or other unauthorized data manipulation [1].
Mitigation
While initial reports suggested updating to version 1.5.2 or later [1], the plugin is currently listed as abandoned, and the latest available version on the WordPress repository is 1.5.3 [2]. Users are strongly advised to uninstall the plugin immediately and replace it with an actively maintained alternative, as no reliable security updates are being provided [2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.5.1
Patches
0wpdirectorykitThis plugin appears unmaintained — its last release on WordPress.org predates this CVE's publication, so no fix has been shipped since the vulnerability was disclosed. The latest installable version is still vulnerable. Users should uninstall it or switch to an actively-maintained alternative.
Source: api.wordpress.org · directory page
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.