CVE-2026-22336
SQL Injection in Directorist Booking Allows Data Manipulation
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| directorist | booking | From 3.0.2 (inc) to 3.0.2 (exc) |
| directorist | booking | to 3.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22336 is a high-priority SQL Injection vulnerability in the WordPress Directorist Booking Plugin versions before 3.0.2.
This vulnerability allows unauthenticated attackers to directly interact with the pluginβs database by injecting malicious SQL commands.
It is classified under the OWASP Top 10 category A3: Injection, indicating it involves improper neutralization of special elements in SQL commands.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-22336 is a high-severity SQL Injection vulnerability that allows unauthenticated attackers to interact directly with the plugin's database, potentially leading to data theft.
Such unauthorized access and potential data breaches can compromise the confidentiality and integrity of sensitive personal data, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Failure to address this vulnerability could result in non-compliance with these regulations due to inadequate protection of personal data and insufficient security controls.
Immediate mitigation by updating the plugin to version 3.0.2 or later is essential to maintain compliance and protect sensitive information.
How can this vulnerability impact me? :
This vulnerability can lead to serious impacts including data theft and other malicious activities because attackers can manipulate the database without any authentication.
Since the exploit requires no privileges, it is highly dangerous and can be used in mass campaigns targeting many websites.
The vulnerability can compromise the confidentiality of data (high impact on confidentiality), cause limited availability issues, but does not affect integrity according to the CVSS vector.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL Injection vulnerability in the Directorist Booking plugin can be detected by monitoring for unusual or suspicious SQL queries targeting the plugin's database tables. Since the vulnerability allows unauthenticated attackers to interact directly with the database, detection can involve inspecting web server logs for unexpected parameters or payloads that attempt SQL injection.
While no specific commands are provided in the resources, common detection methods include using web application firewalls (WAFs) with rules to block SQL injection attempts, or running vulnerability scanners that test for SQL injection on the affected plugin versions.
Immediate mitigation is to update the plugin to version 3.0.2 or later, which patches the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Directorist Booking plugin to version 3.0.2 or later, where the vulnerability has been patched.
Until the update can be applied, users can use a mitigation rule provided by Patchstack that blocks attacks targeting this vulnerability.
Users are also advised to seek assistance from their hosting providers or developers to secure their sites promptly.