CVE-2026-42672 Overview
CVE-2026-42672 is a Blind SQL Injection vulnerability in the WP Directory Kit WordPress plugin. The flaw affects all versions of WP Directory Kit up to and including 1.5.1. Unauthenticated attackers can inject SQL statements through unsanitized input parameters that reach backend database queries. The weakness is classified as [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
The vulnerability requires no authentication, no user interaction, and is exploitable over the network. Successful exploitation allows attackers to extract arbitrary data from the WordPress database, including user records, password hashes, and session tokens.
Critical Impact
Unauthenticated remote attackers can perform blind SQL injection against any WordPress site running WP Directory Kit through version 1.5.1, leading to confidentiality compromise across the database.
Affected Products
- WP Directory Kit plugin for WordPress, all versions through 1.5.1
- WordPress sites with the plugin enabled and reachable from the internet
- Multi-tenant WordPress hosting environments running the affected plugin
Discovery Timeline
- 2026-06-01 - CVE-2026-42672 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-42672
Vulnerability Analysis
The vulnerability resides in WP Directory Kit's handling of user-supplied input that is concatenated into SQL statements without proper sanitization or parameterization. Because the injection point returns no visible output, attackers exploit it as a blind SQL injection, inferring data through boolean conditions or time-based payloads.
The Patchstack advisory tracks this as a plugin-level flaw reachable through standard HTTP requests to the plugin's endpoints. The scope is marked as changed, indicating that the injected query can affect resources beyond the vulnerable component, such as shared database tables used by WordPress core and other plugins.
Attackers can enumerate database schema, extract administrator credentials, and chain access into broader site compromise. The attack does not require an account on the target site.
Root Cause
The root cause is improper neutralization of special characters in an SQL command [CWE-89]. The plugin passes attacker-controlled values directly into database queries instead of using prepared statements through WordPress's $wpdb->prepare() API. Quote characters, comment markers, and SQL keywords are not escaped before query execution.
Attack Vector
An unauthenticated remote attacker sends crafted HTTP requests containing SQL payloads to a vulnerable WP Directory Kit endpoint. Because the injection is blind, attackers typically use boolean-based payloads such as ' AND (SELECT SUBSTRING(user_pass,1,1) FROM wp_users WHERE ID=1)='a or time-based payloads using SLEEP() to extract data one character at a time.
The Patchstack advisory documents the specific parameter and endpoint. Refer to the Patchstack Vulnerability Report for the technical proof-of-concept details.
Detection Methods for CVE-2026-42672
Indicators of Compromise
- HTTP requests to WP Directory Kit plugin endpoints containing SQL syntax such as UNION SELECT, SLEEP(, BENCHMARK(, or ' OR '1'='1
- Unusual wp_users or wp_options table read patterns originating from web application processes
- Repeated requests with incrementing payload values consistent with character-by-character data extraction
- Long-running database queries triggered by anonymous HTTP requests during off-hours
Detection Strategies
- Inspect web server access logs for requests targeting wp-admin/admin-ajax.php or plugin routes with suspicious query parameters containing SQL metacharacters
- Enable MySQL general or slow query logs and correlate anomalous queries against the originating HTTP request
- Deploy a Web Application Firewall (WAF) rule set targeting WordPress SQL injection signatures
Monitoring Recommendations
- Alert on outbound responses with abnormal latency patterns indicating time-based SQL injection probing
- Track repeated 200/500 responses from plugin endpoints from a single source IP within short time windows
- Monitor for new administrator accounts, password changes, or option modifications following suspicious request bursts
How to Mitigate CVE-2026-42672
Immediate Actions Required
- Disable the WP Directory Kit plugin until a patched version above 1.5.1 is installed
- Restrict access to the WordPress site behind a WAF with WordPress-specific SQL injection rules
- Rotate WordPress administrator passwords and invalidate active sessions if exploitation is suspected
- Audit wp_users and wp_usermeta for unauthorized accounts or privilege changes
Patch Information
No fixed version is listed in the NVD entry at the time of publication. Monitor the Patchstack Vulnerability Report and the plugin's WordPress.org page for an official update from the vendor. Apply the patched release immediately upon availability.
Workarounds
- Deactivate and remove the WP Directory Kit plugin from affected sites until a fix is released
- Block requests containing SQL metacharacters targeting plugin endpoints at the WAF or reverse proxy layer
- Apply database-level least privilege so the WordPress database user cannot access tables outside the WordPress schema
# Disable WP Directory Kit via WP-CLI until a patch is available
wp plugin deactivate wpdirectorykit
wp plugin delete wpdirectorykit
# Example ModSecurity rule to block common SQLi payloads on plugin paths
SecRule REQUEST_URI "@contains wpdirectorykit" \
"chain,deny,status:403,id:1042672,msg:'Block WP Directory Kit SQLi attempt'"
SecRule ARGS "@rx (?i)(union(.*?)select|sleep\(|benchmark\(|--\s|'\s+or\s+'1'='1)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
