DirectoryPress Plugin Flaw Exposes WordPress Sites to SQL Injection
The National Vulnerability Database has flagged a critical SQL injection vulnerability in the popular DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress. The flaw, tracked as CVE-2026-3489, affects versions up to and including 3.6.26.
According to the National Vulnerability Database, the vulnerability stems from insufficient sanitization of the ‘packages’ parameter. This allows unauthenticated attackers to inject malicious SQL code into existing database queries. The National Vulnerability Database notes that this could be exploited to extract sensitive information from the underlying WordPress database.
This type of attack, identified under CWE-89, is particularly concerning for businesses relying on directories or classified ad listings for revenue and customer engagement. The high CVSS score of 7.5 underscores the severity and ease of exploitation.
What This Means For You
- If your WordPress site uses the DirectoryPress plugin, check your version immediately. If you are running version 3.6.26 or earlier, you must update to the latest patched version ASAP to prevent attackers from siphoning sensitive database information.
Related ATT&CK Techniques
🛡️ Detection Rules
7 rules · 6 SIEM formats7 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.
Web Application Exploitation Attempt — CVE-2026-3489
Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.
7 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get All SIEM Formats →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3489 | Vulnerability | CVE-2026-3489 |
| CVE-2026-3489 | Affected Product | versions |
Related Posts
CVE-2026-6410 — Path Traversal
CVE-2026-6410 — @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside...
Fastify Middleware Flaw Exposes Apps to Auth Bypass
CVE-2026-6270 — @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware...
SQL Injection Flaw Found in Zoho ManageEngine PAM/PMP
CVE-2026-5785 — Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in...