How is CVE-2026-49073 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS. Authentication (required): Any low-privilege WordPress account (such as a subscriber or contributor) is sufficient; no administrative credentials are needed. Victim interaction (not-required): The attacker can trigger the injection directly without any action from another user or administrator. Attack complexity (info): Exploit conditions are reliable and free of race conditions or special environmental dependencies, though blind SQL injection requires iterative query techniques to extract data.

What is the impact of CVE-2026-49073?

Reads stored database contents, including user records, session tokens, booking details, and any other data accessible to the database user, via blind SQL injection enumeration. Confidentiality impact is high with scope change, meaning data from database tables outside the plugin's immediate context may be accessible if the database user has broad permissions. Availability is partially affected; malformed or resource-intensive injected queries can slow or crash database-dependent functionality for the affected WordPress site.

Back to search

HIGHCVE-2026-49073Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-49073: WordPress Directorist Booking plugin <= 3.0.3 - SQL Injection vulnerability

Q: What is CVE-2026-49073?

A SQL injection vulnerability affects the wpWax Directorist Booking WordPress plugin at version 3.0.3 and earlier. The flaw is reachable over the network by any authenticated user with a low-privilege account (such as a subscriber or contributor), and no victim interaction is required to trigger it. Successful exploitation allows an attacker to extract sensitive data from the underlying database through blind SQL injection techniques, and may partially disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-49073 patched?

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment wpWax ships a remediated release. Where compliance policy permits, customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3.

CVSS v3.1: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A SQL injection vulnerability affects the wpWax Directorist Booking WordPress plugin at version 3.0.3 and earlier. The flaw is reachable over the network by any authenticated user with a low-privilege account (such as a subscriber or contributor), and no victim interaction is required to trigger it. Successful exploitation allows an attacker to extract sensitive data from the underlying database through blind SQL injection techniques, and may partially disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, covering custom-built images that bundle the Directorist Booking plugin.

Available

Triage

HarborGuard scores this finding at CVSS 8.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) and weights it against each environment's compliance policy to determine urgency and routing, surfacing it to the appropriate team inbox within each customer organization.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment wpWax ships a remediated release. Where compliance policy permits, customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS.
AuthenticationRequired
Any low-privilege WordPress account (such as a subscriber or contributor) is sufficient; no administrative credentials are needed.
Victim interactionNot required
The attacker can trigger the injection directly without any action from another user or administrator.
Attack complexityDetail
Exploit conditions are reliable and free of race conditions or special environmental dependencies, though blind SQL injection requires iterative query techniques to extract data.

Blast Radius

Reads stored database contents, including user records, session tokens, booking details, and any other data accessible to the database user, via blind SQL injection enumeration.
Confidentiality impact is high with scope change, meaning data from database tables outside the plugin's immediate context may be accessible if the database user has broad permissions.
Availability is partially affected; malformed or resource-intensive injected queries can slow or crash database-dependent functionality for the affected WordPress site.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49073 is active across connected registries and pipelines, flagging any image that bundles Directorist Booking at version 3.0.3 or earlier. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment wpWax publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated automatically, where compliance policy permits. In the interim, compensating controls worth considering include network-policy isolation to restrict access to the WordPress installation to known-good IP ranges, WAF rules targeting SQL metacharacter patterns in request parameters handled by the booking plugin, and reviewing database user permissions to apply least-privilege access so the WordPress database account cannot read tables outside its required scope.

See how HarborGuard automates this

Affected packages

wpWax / Directorist Booking
≤ 3.0.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified