CVE-2026-39531 9.3 CRITICAL
Unauthenticated SQL injection in the WP Directory Kit plugin allows attackers to inject arbitrary SQL through a request parameter that reaches the database layer without proper sanitization or prepared statements.
| Product | WP Directory Kit |
|---|---|
| Affected Versions | ≤ 1.5.0 |
| Fixed Version | 1.5.1 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CWE | CWE-89 (Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)) |
| Published | 2026-04-13 |
| Active installs | 3,000+ |
Description
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection in all versions up to and including 1.5.0. A user-controlled 'filter_ids' parameter is interpolated into an IN clause through esc_sql() alone, which escapes quotes but does not restrict the value to numeric content. The same pattern appears in three methods of the Wdk_frontendajax controller, all reachable through the unauthenticated frontend dispatcher, so any remote attacker can break out of the IN clause and read data from arbitrary tables in the WordPress database, including rows outside the plugin's own scope.
Impact
An unauthenticated attacker can exfiltrate sensitive data from the WordPress database, including users, password hashes, session tokens and any custom tables created by other plugins. In combination with slow extraction techniques, the bug is directly exploitable in automated mass-exploitation campaigns targeting vulnerable sites.