CVE-2026-39531: Blind SQL Injection in WP Directory Kit
A critical blind SQL injection vulnerability has been disclosed in the WP Directory Kit plugin for WordPress, tracked as CVE-2026-39531 (CVSS 9.3, Critical). Affecting all versions through 1.5.0, the flaw stems from improper neutralization of special characters in SQL commands — allowing unauthenticated attackers to exfiltrate database contents via time-based or boolean-based inference without any prior authentication.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-39531 |
| CVSS Score | 9.3 (Critical) |
| CWE Classification | CWE-89 — Improper Neutralization of Special Elements in SQL Command |
| Attack Type | Blind SQL Injection |
| Affected Plugin | WP Directory Kit (WordPress) |
| Affected Versions | All versions through 1.5.0 |
| Authentication Required | None |
| Published | 2026-05-21 |
| Source | NIST NVD |
Technical Details
Blind SQL injection differs from classic SQL injection in that the application does not directly return query results to the attacker. Instead, the attacker infers database content by:
- Boolean-based blind SQLi: Sending queries that produce different application responses depending on whether a condition is true or false
- Time-based blind SQLi: Using database functions like
SLEEP()(MySQL) orWAITFOR DELAY(MSSQL) to cause measurable response delays based on query conditions
In CVE-2026-39531, the WP Directory Kit plugin fails to properly sanitize user-supplied input before incorporating it into SQL queries. A malicious actor can supply crafted input such as:
1' AND SLEEP(5)-- -If the application responds with a 5-second delay, the attacker confirms SQL injection is possible and begins extracting data character-by-character.
What Can Be Extracted
With a successful blind SQLi attack against a WordPress installation, an attacker can enumerate and exfiltrate:
- WordPress user table (
wp_users) — including usernames and hashed passwords - User metadata (
wp_usermeta) — including admin email addresses and session tokens - Site configuration data (
wp_options) — including thesiteurl,blogname, and secret keys - Plugin/theme configuration data — potentially including API keys stored as plugin settings
- All custom post/page content in the database
Attack Flow
1. Attacker identifies a WordPress site running WP Directory Kit ≤ 1.5.0
2. Attacker crafts a URL or form submission targeting a vulnerable plugin parameter
3. Attacker confirms SQLi via boolean-based probe:
Parameter=1' AND 1=1-- - → normal response (condition TRUE)
Parameter=1' AND 1=2-- - → altered response (condition FALSE)
4. Attacker uses automated tooling (sqlmap) or manual enumeration to extract:
- Number of databases
- Database names
- Table names in the WordPress database
- Column names in wp_users
5. Attacker exfiltrates user_login and user_pass fields from wp_users
6. Attacker cracks the bcrypt password hashes offline (or uses as-is if site has weak passwords)
7. Attacker authenticates to WordPress admin panel and achieves full site controlAffected Software
The WP Directory Kit plugin provides directory listing functionality for WordPress sites — commonly used for business directories, member listings, and listing portals. As of the time of disclosure, all versions up to and including 1.5.0 are affected.
Remediation
1. Update the Plugin
The primary remediation is to update WP Directory Kit to a patched version, if one has been released by the vendor.
# Via WP-CLI
wp plugin update wp-directory-kit
# Verify installed version
wp plugin get wp-directory-kit --field=versionAlternatively, update via WordPress Admin > Plugins > WP Directory Kit > Update Now.
2. If No Patch Is Available
If a patched version is not yet available:
- Deactivate and remove the plugin until a patch is released
- Replace functionality with an alternative directory plugin
- Add a WAF rule to block SQL injection attempts against the plugin's endpoints
3. Harden SQL Injection Defenses
Even after patching, strengthen your WordPress installation:
# Install and configure a WordPress security plugin with WAF capabilities
# (Wordfence, Sucuri, or Cloudflare WAF rules for WordPress)
# Check for unexpected admin users that may have been created
wp user list --role=administrator
# Review recent wp_users entries for unfamiliar accounts
wp user list --fields=user_login,user_registered,user_email --format=tableDetection
Monitor for SQLi probe patterns in your web server access logs:
# Look for common SQL injection patterns in access logs
grep -iE "(sleep\(|waitfor\s+delay|1=1|1=2|union\s+select|or\s+1=1)" \
/var/log/nginx/access.log | tail -200
# Look for repeated requests to wp-directory-kit plugin endpoints
grep -i "wp-directory-kit" /var/log/nginx/access.log | \
awk '{print $1}' | sort | uniq -c | sort -rn | head -20Unusual patterns of repeated requests with slightly varying parameters to the same plugin endpoint — especially with URL-encoded single quotes — are a strong indicator of blind SQLi enumeration in progress.
Risk Assessment
| Factor | Assessment |
|---|---|
| CVSS 9.3 (Critical) | Maximum severity for unauthenticated data exposure |
| No authentication required | Exploitable by any internet-accessible attacker |
| Data at risk | Full WordPress database including credentials |
| Automated exploitation | Tools like sqlmap trivialize the extraction process |
| Patch status | Monitor vendor for patch release; deactivate if unpatched |
Key Takeaways
- CVE-2026-39531 is a critical blind SQL injection flaw in WP Directory Kit affecting all versions through 1.5.0
- CVSS 9.3 — no authentication required, full database exfiltration possible
- Immediate action: Update the plugin if a patch is available, or deactivate it until patched
- Monitor logs for SQLi probe patterns targeting plugin endpoints
- Audit wp_users for any unexpected administrator accounts that may indicate prior compromise