Skip to main content
CVE Vulnerability Database

CVE-2026-3489: DirectoryPress WordPress SQL Injection Flaw

CVE-2026-3489 is a SQL injection vulnerability in the DirectoryPress WordPress plugin affecting versions up to 3.6.26. Unauthenticated attackers can extract sensitive database information. This article covers technical details, impact, and mitigation.

Updated:

CVE-2026-3489 Overview

CVE-2026-3489 is a SQL Injection vulnerability [CWE-89] affecting the DirectoryPress – Business Directory and Classified Ad Listing plugin for WordPress. The flaw exists in versions up to and including 3.6.26 and stems from insufficient escaping of the packages parameter combined with a lack of proper SQL query preparation. Unauthenticated attackers can append additional SQL statements to existing queries and extract sensitive data from the WordPress database.

Critical Impact

Unauthenticated remote attackers can extract sensitive database contents, including user credentials, session tokens, and configuration secrets, without user interaction.

Affected Products

  • DirectoryPress – Business Directory and Classified Ad Listing plugin for WordPress
  • All versions up to and including 3.6.26
  • WordPress sites running the vulnerable plugin in any deployment configuration

Discovery Timeline

  • 2026-04-16 - CVE-2026-3489 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-3489

Vulnerability Analysis

The vulnerability resides in how the DirectoryPress plugin processes the packages parameter supplied through HTTP requests. User-supplied input is concatenated into a SQL query without sufficient escaping or use of prepared statements. Attackers can submit crafted values that break out of the intended query context and append arbitrary SQL clauses.

Because the injection point is reachable without authentication, exploitation requires only network access to the target WordPress site. The classification reflects high confidentiality impact with no impact to integrity or availability, consistent with data extraction through UNION-based or boolean-based SQL injection techniques.

The EPSS score is 0.032%, placing it in the 9.337 percentile for exploitation likelihood. No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Root Cause

The root cause is a failure to use the WordPress $wpdb->prepare() API or equivalent parameterized query mechanisms when handling the packages request parameter. Input sanitization functions such as esc_sql() are either missing or applied insufficiently. The plugin developer addressed the issue in WordPress Changeset 3474986.

Attack Vector

An unauthenticated attacker sends a crafted HTTP request to an endpoint that accepts the packages parameter. By appending SQL syntax such as UNION SELECT clauses, the attacker forces the database to return data from arbitrary tables, including the wp_users table containing password hashes and email addresses. See the Wordfence Vulnerability Report for additional technical context.

The vulnerability mechanism is described in prose only — no verified public proof-of-concept code is available at this time.

Detection Methods for CVE-2026-3489

Indicators of Compromise

  • HTTP requests containing SQL syntax in the packages parameter, such as UNION, SELECT, SLEEP, or -- comment sequences
  • Unexpected database query errors in WordPress debug logs originating from DirectoryPress plugin files
  • Outbound connections or large response payloads from WordPress endpoints handling directory package requests
  • Web server access logs showing repeated requests to DirectoryPress endpoints from a single source IP

Detection Strategies

  • Deploy web application firewall rules that inspect the packages parameter for SQL injection patterns
  • Enable MySQL general query logging temporarily to identify anomalous query structures referencing wp_users or wp_options
  • Monitor WordPress error logs for wpdb warnings indicating malformed SQL execution
  • Correlate failed authentication attempts that follow suspicious requests to DirectoryPress endpoints

Monitoring Recommendations

  • Track HTTP request rates and parameter entropy on DirectoryPress endpoints to identify automated probing
  • Alert on database queries that return unusually large result sets from public-facing pages
  • Forward WordPress and web server logs to a centralized SIEM for cross-source correlation
  • Review installed plugin versions weekly and flag any site running DirectoryPress at version 3.6.26 or earlier

How to Mitigate CVE-2026-3489

Immediate Actions Required

  • Update DirectoryPress to a version newer than 3.6.26 that includes the fix from changeset 3474986
  • Audit WordPress user accounts and rotate administrator passwords if compromise is suspected
  • Review database access logs for evidence of unauthorized SELECT queries against sensitive tables
  • Restrict access to the WordPress admin interface using IP allow-listing where feasible

Patch Information

The vendor addressed CVE-2026-3489 in WordPress Changeset 3474986. Site administrators should update the DirectoryPress plugin through the WordPress admin dashboard or by deploying the patched files directly. Verify the plugin version in the WordPress plugins list after applying the update.

Workarounds

  • Deactivate the DirectoryPress plugin until the update can be applied
  • Deploy a web application firewall rule blocking SQL metacharacters in the packages parameter
  • Restrict database user privileges so the WordPress account cannot read tables outside its required scope
  • Enable WordPress two-factor authentication to limit damage from leaked credential hashes
bash
# Example WAF rule blocking SQL injection patterns in the packages parameter
SecRule ARGS:packages "@rx (?i)(union(\s|/\*.*?\*/)+select|sleep\s*\(|--\s|;\s*drop)" \
    "id:1002026,phase:2,deny,status:403,msg:'CVE-2026-3489 DirectoryPress SQLi attempt'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.