CVE-2026-39531

CRITICAL

WordPress WP Directory Kit plugin <= 1.5.0 - SQL Injection vulnerability

Title source: cna

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.0.

References (1)

Core 1

Core References

Vdb Entry vdb-entry

https://patchstack.com/database/wordpress/plugin/wpdirectorykit/vulnerability/wordpress-wp-directory-kit-plugin-1-5-0-sql-injection-vulnerability?_s_id=cve

Scores

CVSS v3 9.3

EPSS 0.0024

EPSS Percentile 15.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

Wp Directory Kit/WP Directory Kit < 1.5.0

Published May 21, 2026

Tracked Since May 21, 2026