How is CVE-2026-42672 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to exploit this vulnerability. Authentication (not-required): No account or credential of any privilege level is needed; the injection point is reachable by any anonymous request. Victim interaction (not-required): The attacker sends crafted requests directly to the server and does not need any user to click a link or take any other action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race condition, memory layout knowledge, or environmental prerequisite beyond network access.

What is the impact of CVE-2026-42672?

Reads database contents accessible to the WordPress database user, including stored credentials (hashed passwords), user email addresses, session tokens, and plugin configuration data. Blind SQL injection allows row-by-row data extraction, so the attacker can enumerate and exfiltrate records from any table the database user can query. The A:L (Low availability) impact token indicates the injection can disrupt query execution, causing intermittent errors or degraded performance in the WordPress site. Because the scope token is Changed (S:C), impact can extend beyond the WordPress application itself to other databases or services sharing the same database server.

Back to search

CRITICALCVE-2026-42672Published 2026-06-01Modified 2026-06-01CNA Patchstack

CVE-2026-42672: WordPress WP Directory Kit plugin <= 1.5.1 - SQL Injection vulnerability

Q: What is CVE-2026-42672?

SQL injection vulnerability in the WP Directory Kit WordPress plugin (versions up to and including 1.5.1) allows an unauthenticated remote attacker to send crafted HTTP requests that manipulate the plugin's database queries using blind SQL injection techniques. The attack requires no authentication and no victim interaction, and is reachable over the network. Successful exploitation reads confidential data from the underlying database and can degrade service availability. No fix version has been published; HarborGuard tracks this advisory for patch availability.

Q: Is CVE-2026-42672 patched?

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version of WP Directory Kit is released. In the meantime, customers with compensating-control policies can apply network-level restrictions through HarborGuard's policy engine to reduce exposure while the plugin remains unpatched.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.1.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection vulnerability in the WP Directory Kit WordPress plugin (versions up to and including 1.5.1) allows an unauthenticated remote attacker to send crafted HTTP requests that manipulate the plugin's database queries using blind SQL injection techniques. The attack requires no authentication and no victim interaction, and is reachable over the network. Successful exploitation reads confidential data from the underlying database and can degrade service availability. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-42672 is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the WP Directory Kit plugin. Any image carrying the affected plugin at version 1.5.1 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 9.3 Critical and weights it against each customer environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version of WP Directory Kit is released. In the meantime, customers with compensating-control policies can apply network-level restrictions through HarborGuard's policy engine to reduce exposure while the plugin remains unpatched.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to exploit this vulnerability.
AuthenticationNot required
No account or credential of any privilege level is needed; the injection point is reachable by any anonymous request.
Victim interactionNot required
The attacker sends crafted requests directly to the server and does not need any user to click a link or take any other action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race condition, memory layout knowledge, or environmental prerequisite beyond network access.

Blast Radius

Reads database contents accessible to the WordPress database user, including stored credentials (hashed passwords), user email addresses, session tokens, and plugin configuration data.
Blind SQL injection allows row-by-row data extraction, so the attacker can enumerate and exfiltrate records from any table the database user can query.
The A:L (Low availability) impact token indicates the injection can disrupt query execution, causing intermittent errors or degraded performance in the WordPress site.
Because the scope token is Changed (S:C), impact can extend beyond the WordPress application itself to other databases or services sharing the same database server.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all images containing the WP Directory Kit plugin at version 1.5.1 or earlier, with a Critical (9.3) severity alert routed per each environment's compliance policy. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild automatically once a fixed version is published. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention. While the plugin remains unpatched, compensating controls are available: customers can apply network-policy isolation to restrict inbound access to the WordPress installation to trusted sources only, and can use egress filtering to limit what the database connection can reach, reducing the risk of large-scale data exfiltration even if the injection is triggered.

See how HarborGuard automates this

Affected packages

Wp Directory Kit / WP Directory Kit
≤ 1.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified