CVE-2026-39531: WP Directory Kit Blind SQL Injection Flaw Rated Critical
The National Vulnerability Database has identified a critical SQL injection vulnerability, CVE-2026-39531, in the WP Directory Kit plugin. This flaw allows for blind SQL injection attacks, meaning an attacker can infer data from the database without directly seeing the output. The vulnerability affects versions up to and including 1.5.0.
With a CVSS score of 9.3, this is a severe security issue. Attackers can exploit this vulnerability remotely without needing any prior authentication or user interaction. The ‘S:C’ (Scope: Changed) component in the CVSS vector indicates that the vulnerability could impact components beyond the vulnerable application itself, potentially leading to broader system compromise.
Defenders should prioritize patching or removing WP Directory Kit versions prior to 1.5.0 immediately. Given the critical nature and ease of exploitation, organizations must assume this vulnerability is actively being targeted. A thorough audit of web application firewall (WAF) logs for suspicious SQL query patterns is also advised.
What This Means For You
- If your organization uses the WP Directory Kit plugin, you must update to a patched version or disable the plugin immediately. This SQL injection vulnerability (CVE-2026-39531) carries a critical CVSS score of 9.3 and is exploitable remotely without authentication, posing a direct threat to your database integrity and potentially leading to data exfiltration.
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-39531 | SQLi | Wp Directory Kit WP Directory Kit |
| CVE-2026-39531 | SQLi | Affected versions: n/a through 1.5.0 |
| CVE-2026-39531 | SQLi | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| CVE-2026-39531 | SQLi | Blind SQL Injection |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 21, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-48213 — Add.Php That Cross-Site Scripting (XSS)
CVE-2026-48213 — Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing...
ConnectWise Automate Agent Fails Plugin Verification, CVSS 8.8
CVE-2026-9089 — The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed...
CVE-2026-1816 — Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Vulnerability
CVE-2026-1816 — Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force. This issue affects Mobile Application:...